Created
January 15, 2019 13:12
-
-
Save dLobatog/da145fa3906584ecdefebe054b7e47f0 to your computer and use it in GitHub Desktop.
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-7" resolved="1" xml:lang="en-US" style="SCAP_1.2"> | |
| <status date="2018-10-01">draft</status> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Guide to the Secure Configuration of Red Hat Enterprise Linux 7</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guide presents a catalog of security-relevant | |
| configuration settings for Red Hat Enterprise Linux 7. It is a rendering of | |
| content structured in the eXtensible Configuration Checklist Description Format (XCCDF) | |
| in order to support security automation. The SCAP content is | |
| is available in the <html:code xmlns:html="http://www.w3.org/1999/xhtml">scap-security-guide</html:code> package which is developed at | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| Providing system administrators with such guidance informs them how to securely | |
| configure systems under their control in a variety of network roles. Policy | |
| makers and baseline creators can use this catalog of settings, with its | |
| associated references to higher-level security control catalogs, in order to | |
| assist them in security baseline creation. This guide is a <html:em xmlns:html="http://www.w3.org/1999/xhtml">catalog, not a | |
| checklist</html:em>, and satisfaction of every item is not likely to be possible or | |
| sensible in many operational scenarios. However, the XCCDF format enables | |
| granular selection and adjustment of settings, and their association with OVAL | |
| and OCIL content provides an automated checking capability. Transformations of | |
| this document, and its associated automated checking content, are capable of | |
| providing baselines that meet a diverse set of policy objectives. Some example | |
| XCCDF <html:em xmlns:html="http://www.w3.org/1999/xhtml">Profiles</html:em>, which are selections of items that form checklists and | |
| can be used as baselines, are available with this guide. They can be | |
| processed, in an automated fashion, with tools that support the Security | |
| Content Automation Protocol (SCAP). The DISA STIG, which provides required | |
| settings for US Department of Defense systems, is one example of a baseline | |
| created from this guidance. | |
| </description> | |
| <notice xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in | |
| this guide without first testing them in a non-operational environment. The | |
| creators of this guidance assume no responsibility whatsoever for its use by | |
| other parties, and makes no guarantees, expressed or implied, about its | |
| quality, reliability, or any other characteristic. | |
| </notice> | |
| <front-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The SCAP Security Guide Project<html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| <html:a xmlns:html="http://www.w3.org/1999/xhtml" href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a> | |
| </front-matter> | |
| <rear-matter xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Red Hat and Red Hat Enterprise Linux are either registered | |
| trademarks or trademarks of Red Hat, Inc. in the United States and other | |
| countries. All other names are registered trademarks or trademarks of their | |
| respective companies. | |
| </rear-matter> | |
| <platform idref="cpe:/o:redhat:enterprise_linux:7"/> | |
| <platform idref="cpe:/o:redhat:enterprise_linux:7::client"/> | |
| <platform idref="cpe:/o:redhat:enterprise_linux:7::computenode"/> | |
| <version update="https://github.com/OpenSCAP/scap-security-guide/releases/latest">0.1.41</version> | |
| <metadata xmlns:xhtml="http://www.w3.org/1999/xhtml"> | |
| <dc:publisher xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:publisher> | |
| <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">SCAP Security Guide Project</dc:creator> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank J Cameron (CAM1244) <cameron@ctc.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">0x66656c6978 <0x66656c6978@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gabe Alford <redhatrises@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Firas AlShafei <firas.alshafei@us.abb.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Christopher Anderson <cba@fedoraproject.org></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chuck Atkins <chuck.atkins@kitware.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ryan Ballanger <root@rballang-admin-2.fastenal.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alex Baranowski <alex@euro-linux.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Molly Jo Bault <Molly.Jo.Bault@ballardtech.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alexander Bergmann <abergmann@suse.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jose Luis BG <bgjoseluis@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joseph Bisch <joseph.bisch@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeffrey Blank <blank@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Olivier Bonhomme <ptitoliv@ptitoliv.net></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ted Brunell <tbrunell@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Blake Burkhart <blake.burkhart@us.af.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Patrick Callahan <pmc@patrickcallahan.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Nick Carboni <ncarboni@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">James Cassell <james.cassell@ll.mit.edu></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Caviggia <fcaviggi@ra.iad.redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Eric Christensen <echriste@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Caleb Cooper <coopercd@ornl.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Deric Crago <deric.crago@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Maura Dailey <maura@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Klaas Demter <demter@atix.de></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Andrew DiPrinzio <andrew.diprinzio@jhuapl.edu></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jean-Baptiste Donnette <jean-baptiste.donnette@epita.fr></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">drax <applezip@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Greg Elin <gregelin@gitmachines.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Leah Fisher <lfisher047@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Andrew Gilmore <agilmore2@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Glemza <jglemza@nasa.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Loren Gordon <lorengordon@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Steve Grubb <sgrubb@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Marek Haicman <mhaicman@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rebekah Hayes <rhayes@corp.rivierautilities.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Trey Henefield <thenefield@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">hex2a <hex2a@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">John Hooks <jhooks@starscream.pa.jhbcomputers.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Robin Price II <robin@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeremiah Jahn <jeremiah@goodinassociates.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Stephan Joerrens <Stephan.Joerrens@fiduciagad.de></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kai Kang <kai.kang@windriver.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Charles Kernstock <charles.kernstock@ultra-ats.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Yuli Khodorkovskiy <ykhodorkovskiy@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Peter 'Pessoft' Kolínek <github@pessoft.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Luke Kordell <luke.t.kordell@lmco.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">kspargur <kspargur@kspargur.csb></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Fen Labalme <fen@civicactions.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ian Lee <lee1001@llnl.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan Lieskovsky <jlieskov@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Šimon Lukašík <slukasik@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Milan Lysonek <mlysonek@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Fredrik Lysén <fredrik@pipemore.se></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matus Marhefka <mmarhefk@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jamie Lorwey Martin <jlmartin@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael McConachie <michael@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Khary Mendez <kharyam@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rodney Mercer <rmercer@harris.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matt Micene <nzwulfin@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Brian Millett <bmillett@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">mmosel <mmosel@kde.example.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Zbynek Moravec <zmoravec@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kazuo Moriwaka <moriwaka@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Moseley <michael@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joe Nall <joe@nall.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Neiloy <neiloy@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michele Newman <mnewman@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Sean O'Keeffe <seanokeeffe797@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ilya Okomin <ilya.okomin@oracle.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kaustubh Padegaonkar <theTuxRacer@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michael Palmiotto <mpalmiotto@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Max R.D. Parmer <maxp@trystero.is></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">pcactr <paul.c.arnold4.ctr@mail.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Peeples <kennethwpeeples@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Nathan Peters <Nathaniel.Peters@ca.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Frank Lin PIAT <fpiat@klabs.be></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Stefan Pietsch <mail.ipv4v6+gh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Martin Preisler <mpreisle@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Wesley Ceraso Prudencio <wcerasop@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Raphael Sanchez Prudencio <rsprudencio@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">T.O. Radzy Radzykewycz <radzy@windriver.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenyon Ralph <kenyon@kenyonralph.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rick Renshaw <Richard_Renshaw@xtoenergy.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chris Reynolds <c.reynolds82@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Pat Riehecky <riehecky@fnal.gov></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">rlucente-se-jboss <rlucente@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Joshua Roys <roysjosh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">rrenshaw <bofh69@yahoo.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Chris Ruffalo <chris.ruffalo@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Ray Shaw (Cont ARL/CISD) rvshaw <rvshaw@esme.arl.army.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Willy Santos <wsantos@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Gautam Satish <gautams@hpe.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Watson Sato <wsato@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Satoru SATOH <satoru.satoh@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Alexander Scheel <ascheel@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Spencer Shimko <sshimko@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Thomas Sjögren <konstruktoid@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Francisco Slavin <fslavin@tresys.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">David Smith <dsmith@eclipse.ncsc.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Spargur <kspargur@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kenneth Stailey <kstailey.lists@gmail.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Leland Steinke <leland.j.steinke.ctr@mail.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Brian Stinson <brian@bstinson.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Philippe Thierry <phil@reseau-libre.net></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Paul Tittle <ptittle@cmf.nrl.navy.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jeb Trayer <jeb.d.trayer@uscg.mil></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Matěj Týč <matyc@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">VadimDor <29509093+VadimDor@users.noreply.github.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Shawn Wells <shawn@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Roy Williams <roywilli@roywilli.redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Rob Wilmoth <rwilmoth@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Lucas Yamanishi <lucas.yamanishi@onyxpoint.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui Yang <xirui.yang@oracle.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin Zimmerman <kevin.zimmerman@kitware.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Jan Černý <jcerny@redhat.com></dc:contributor> | |
| <dc:contributor xmlns:dc="http://purl.org/dc/elements/1.1/">Michal Šrubař <msrubar@redhat.com></dc:contributor> | |
| <dc:source xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source> | |
| </metadata> | |
| <model system="urn:xccdf:scoring:default"/> | |
| <Profile id="xccdf_org.ssgproject.content_profile_hipaa"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Health Insurance Portability and Accountability Act (HIPAA)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">The HIPAA Security Rule establishes U.S. national standards to protect individuals’ | |
| electronic personal health information that is created, received, used, or | |
| maintained by a covered entity. The Security Rule requires appropriate | |
| administrative, physical and technical safeguards to ensure the | |
| confidentiality, integrity, and security of electronic protected health | |
| information. | |
| This profile configures Red Hat Enterprise Linux 7 to the HIPAA Security | |
| Rule identified for securing of electronic protected health information.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_xinetd_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rexec_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsh_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_ypbind_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_zebra_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_compression" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_encrypt_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_selinux" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_kdump_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_ospp42"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">OSPP - Protection Profile for General Purpose Operating Systems v. 4.2</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile reflects mandatory configuration controls identified in the | |
| NIAP Configuration Annex to the Protection Profile for General Purpose | |
| Operating Systems (Protection Profile Version 4.2). | |
| This Annex is consistent with CNSSI-1253, which requires US National Security | |
| Systems to adhere to certain configuration parameters. Accordingly, configuration | |
| guidance produced according to the requirements of this Annex is suitable for use | |
| in US National Security Systems.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_slub_debug_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_page_poison_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_vsyscall_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_memcache_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_abrt_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="12"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="never"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_standard"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Standard System Security Profile for Red Hat Enterprise Linux 7</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains rules to ensure standard security baseline | |
| of a Red Hat Enterprise Linux 7 system. Regardless of your system's workload | |
| all of these checks should pass.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_abrtd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_atd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_ntpdate_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_qpidd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rdisc_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub2" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ssh" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ssh_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_nist-800-171-cui"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">From NIST 800-171, Section 2.2: | |
| Security requirements for protecting the confidentiality of CUI in nonfederal | |
| information systems and organizations have a well-defined structure that | |
| consists of: | |
| (i) a basic security requirements section; | |
| (ii) a derived security requirements section. | |
| The basic security requirements are obtained from FIPS Publication 200, which | |
| provides the high-level and fundamental security requirements for federal | |
| information and information systems. The derived security requirements, which | |
| supplement the basic security requirements, are taken from the security controls | |
| in NIST Special Publication 800-53. | |
| This profile configures Red Hat Enterprise Linux 7 to the NIST Special | |
| Publication 800-53 controls identified for securing Controlled Unclassified | |
| Information (CUI).</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_xinetd_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rexec_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsh_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_sshd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_ypbind_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_zebra_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_compression" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_selinux" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_can_relabel" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_system_cronjob_use_shares" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_userdomain_transition" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_dump_core" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_use_tcp_wrapper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_use_tty" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_deny_execmem" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_deny_ptrace" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_domain_fd_use" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_domain_kernel_load_modules" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_gpg_web_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_guest_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_kerberos_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_login_console_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mmap_low_allowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mount_anyfile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_mysql_connect_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_postgresql_connect_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_rw_noexattrfile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_share_music" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_tcp_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_udp_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_chroot_rw_homedirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_staff_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_sysadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_unconfined_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_use_ecryptfs_home_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_user_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_bind_vnc_tcp_port" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_exec_bootloader" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_sysadm_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_write_home" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_connect_network" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_mount_media" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_use_bluetooth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_clients_write_xshm" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_execmem" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_object_manager" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_scan_notification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_acls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_antivirus" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_hids" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ldap_client_start_tls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_kdump_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_opensc_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_opensc_nss_db" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_force_opensc_card_drivers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_memcache_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_encrypt_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_clean_components_post_updating" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="15"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="10_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="never"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="single"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="data"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" selector="rotate"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="email"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" selector="rhel"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_required" selector="yes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="35"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" selector="10"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="60"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" selector="10_min"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" selector="8"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_smartcard_drivers" selector="cac"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_inactivity_timeout_value" selector="10_minutes"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_pci-dss"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">PCI-DSS v3 Control Baseline for Red Hat Enterprise Linux 7</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Ensures PCI-DSS v3 related security configuration settings \n \ are applied.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_hids" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_unique_name" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_libreswan_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_base" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="90"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="1800"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="15_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" selector="2"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" selector="rhel"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_cjis"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Criminal Justice Information Services (CJIS) Security Policy</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile is derived from FBI's CJIS v5.4 | |
| Security Policy. A copy of this policy can be found at the CJIS Security | |
| Policy Resource Center: | |
| https://www.fbi.gov/services/cjis/cjis-security-policy-resource-center</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_unique_name" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_base" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="10"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="0"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="12"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="600"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="30_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_inactivity_timeout_value" selector="30_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_stig-rhel7-disa"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">DISA STIG for Red Hat Enterprise Linux 7</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains configuration checks that align to the | |
| DISA STIG for Red Hat Enterprise Linux V1R4. | |
| In addition to being applicable to RHEL7, DISA recognizes this | |
| configuration baseline as applicable to the operating system tier of | |
| Red Hat technologies that are based off RHEL7, such as: | |
| - Red Hat Enterprise Linux Server | |
| - Red Hat Enterprise Linux Workstation and Desktop | |
| - Red Hat Virtualization Hypervisor (RHV-H) | |
| - Red Hat Enterprise Linux for HPC | |
| - Red Hat Storage</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_locked" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_locked" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxrepeat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_set_min_life_existing" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_set_max_life_existing" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_user_login_roles" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_scan_notification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_clean_components_post_updating" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_defined" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_exists" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_home_directories" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_home_directories" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupownership_home_directories" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_users_home_files_ownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_users_home_files_groupownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_users_home_files_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_dot_user_ownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_dot_group_ownership" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permission_user_init_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_home_paths_only" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_interactive_users" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_kdump_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_acls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_no_removeable_media" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_create" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_mcafee_antivirus" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mcafee_antivirus_definitions_updated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_firewalld_ports" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_ldap_start_tls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca_dir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_ldap_configure_tls_ca" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_openssh-server_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_sshd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_print_last_log" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_compression" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_firewalld_rate_limiting" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_user_host_based_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_host_based_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_configure_name_resolution" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_vsftpd_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_tftp-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_tftpd_uses_secure_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_smartcard_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_enable_pam_services" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_smartcard_configure_cert_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_noexec_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="dod_banners"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_inactivity_timeout_value" selector="15_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout" selector="5_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_screensaver_lock_delay" selector="5_seconds"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="10_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="15"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="never"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" selector="8"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="60"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="0"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_removable_partition" selector="dev_cdrom"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="email"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" selector="10"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" selector="10_min"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" selector="system_default"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_source_route_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_source_route_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_mcafee_antivirus_definition_expire" selector="1_week"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_required" selector="yes"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_ospp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">United States Government Configuration Baseline</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This compliance profile reflects the core set of security | |
| related configuration settings for deployment of Red Hat Enterprise | |
| Linux 7.x into U.S. Defense, Intelligence, and Civilian agencies. | |
| Development partners and sponsors include the U.S. National Institute | |
| of Standards and Technology (NIST), U.S. Department of Defense, | |
| the National Security Agency, and Red Hat. | |
| This baseline implements configuration requirements from the following | |
| sources: | |
| - Committee on National Security Systems Instruction No. 1253 (CNSSI 1253) | |
| - NIST Controlled Unclassified Information (NIST 800-171) | |
| - NIST 800-53 control selections for MODERATE impact systems (NIST 800-53) | |
| - U.S. Government Configuration Baseline (USGCB) | |
| - NIAP Protection Profile for General Purpose Operating Systems v4.0 (OSPP v4.0) | |
| - DISA Operating System Security Requirements Guide (OS SRG) | |
| For any differing configuration requirements, e.g. password lengths, the stricter | |
| security setting was chosen. Security Requirement Traceability Guides (RTMs) and | |
| sample System Security Configuration Guides are provided via the | |
| scap-security-guide-docs package. | |
| This profile reflects U.S. Government consensus content and is developed through | |
| the OpenSCAP/SCAP Security Guide initiative, championed by the National | |
| Security Agency. Except for differences in formatting to accommodate | |
| publishing processes, this profile mirrors OpenSCAP/SCAP Security Guide | |
| content as minor divergences, such as bugfixes, work through the | |
| consensus and release processes.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_installed_OS_is_certified" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_interval" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_modprobe" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_rmmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_cron_logging" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_nolisten" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_libreswan_approved_tunnels" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_xinetd_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rexec_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsh_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_sshd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_ypbind_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_zebra_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_use_kerberos_security_all_exports" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_compression" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_system_owned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_selinux" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_cron_allow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_krb_sec_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_remote_filesystems" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_handle_event" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_abrt_upload_watch_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_auditadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_can_relabel" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_system_cronjob_use_shares" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_cron_userdomain_transition" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_dump_core" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_use_tcp_wrapper" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_daemons_use_tty" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_deny_execmem" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_deny_ptrace" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_domain_fd_use" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_domain_kernel_load_modules" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_gpg_web_anon_write" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_guest_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_kerberos_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_login_console_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mmap_low_allowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_mount_anyfile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_polyinstantiation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_secure_mode_policyload" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execheap" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execstack" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_mysql_connect_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_ping" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_postgresql_connect_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_rw_noexattrfile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_share_music" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_tcp_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_udp_server" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_use_ssh_chroot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_chroot_rw_homedirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_keysign" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_ssh_sysadm_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_staff_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_sysadm_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_unconfined_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_use_ecryptfs_home_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_user_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_bind_vnc_tcp_port" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_exec_bootloader" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_sysadm_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xdm_write_home" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_connect_network" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_exec_content" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_mount_media" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xguest_use_bluetooth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_clients_write_xshm" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_execmem" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sebool_xserver_object_manager" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_all_devicefiles_labeled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_scan_notification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_use_fips_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_acls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_verify_ext_attributes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_antivirus" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_hids" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ldap_client_start_tls" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_install_PAE_kernel_on_x86-32" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_kdump_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_maxclassrepeat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minclass" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_display_login_attempts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_opensc_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_opensc_nss_db" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_configure_opensc_card_drivers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_force_opensc_card_drivers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_memcache_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sssd_ssh_known_hosts_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_encrypt_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_repo_metadata" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_local_packages" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_sniffer_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_ipv6_disable_rpc" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_network_ipv6_privacy_extensions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_ctrlaltdel_reboot" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_geolocation" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_restart_shutdown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_thumbnailers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_admin" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_user_list" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_create" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_disable_wifi_notification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_enable_smartcard_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_retries" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_info" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_enable_dconf_user_profile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_automatic_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_guest_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_clean_components_post_updating" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_inactivity_timeout_value" selector="15_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="15"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="10_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="never"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value" selector="disabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" selector="enabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value" selector="enabled"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="single"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="data"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" selector="rotate"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="email"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_multiple_time_servers" selector="rhel"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_required" selector="yes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="35"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" selector="10"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="60"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" selector="10_min"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" selector="8"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minclass" selector="4"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_smartcard_drivers" selector="cac"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_C2S"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">C2S for Red Hat Enterprise Linux 7</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile demonstrates compliance against the | |
| U.S. Government Commercial Cloud Services (C2S) baseline. | |
| This baseline was inspired by the Center for Internet Security | |
| (CIS) Red Hat Enterprise Linux 7 Benchmark, v2.1.1 - 01-31-2017. | |
| For the SCAP Security Guide project to remain in compliance with | |
| CIS' terms and conditions, specifically Restrictions(8), note | |
| there is no representation or claim that the C2S profile will | |
| ensure a system is in compliance or consistency with the CIS | |
| baseline.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rhnsd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_exec_shield" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_enable_selinux" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_setroubleshoot_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_mcstrans_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_login_banner_text" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_dconf_gnome_banner_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_tftp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_xinetd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_xorg-x11-server-common_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_avahi-daemon_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_cups_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_dhcpd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_openldap-servers_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rpcbind_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_nfs_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_named_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_httpd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_dovecot_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_smb_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_squid_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_snmpd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypserv_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rexec_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsh_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rlogin_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_ypbind_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsh_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_talk_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_tcp_wrappers_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_audit_argument" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_crond_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_macs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_minlen" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_files_unowned_by_user" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_ungroupowned" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_suid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_sgid" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="single"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="14"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="900"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" selector="30"/> | |
| </Profile> | |
| <Profile id="xccdf_org.ssgproject.content_profile_rht-ccp"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US" override="true">This profile contains the minimum security relevant \n \ configuration settings recommended by Red Hat, Inc for \n \ Red Hat Enterprise Linux 7 instances deployed by Red Hat Certified \n \ Cloud Providers.</description> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_security_patches_up_to_date" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_unix_remember" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_retry" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_dcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ucredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_ocredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_lcredit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_password_pam_difok" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_systemauth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_logindefs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_password_hashing_algorithm_libuserconf" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_grub2_password" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_dccp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_set_firewalld_default_zone" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_firewalld_sshd_port_enabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_abrtd_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_service_telnet_disabled" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet-server_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_package_telnet_removed" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_disable_host_auth" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers" selected="true"/> | |
| <select idref="xccdf_org.ssgproject.content_group_remediation_functions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_privileged_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_audit_unsuccessful_file_modification" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6_autoconfig" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_bootloader-grub-legacy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openstack" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_http" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/> | |
| <select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" selector="root"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="6"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_retry" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="2"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="2"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="2"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_difok" selector="3"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="5"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/> | |
| <refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="usgcb_default"/> | |
| </Profile> | |
| <Group id="xccdf_org.ssgproject.content_group_remediation_functions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation functions used by the SCAP Security Guide Project</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">XCCDF form of the various remediation functions as used by remediation scripts from the SCAP Security Guide Project.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_function_rhel7_ensure_there_are_servers_in_ntp_compatible_config_file" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function rhel7_ensure_there_are_servers_in_ntp_compatible_config_file</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function ensures that the ntp/chrony config file contains valid server entries | |
| # $1: Path to the config file | |
| # $2: Comma-separated list of servers | |
| function rhel7_ensure_there_are_servers_in_ntp_compatible_config_file { | |
| # If invoked with no arguments, exit. This is an intentional behavior. | |
| [ $# -gt 1 ] || return 0 | |
| [ $# = 2 ] || die "$0 requires zero or exactly two arguments" | |
| local _config_file="$1" _servers_list="$2" | |
| if ! grep -q '#[[:space:]]*server' "$_config_file"; then | |
| for server in $(echo "$_servers_list" | tr ',' '\n') ; do | |
| printf '\nserver %s iburst' "$server" >> "$_config_file" | |
| done | |
| else | |
| sed -i 's/#[ \t]*server/server/g' "$_config_file" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_populate" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function populate</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># The populate function isn't directly used by SSG at the moment but it can be | |
| # used for testing purposes and will be used in SSG Testsuite in the future. | |
| function populate { | |
| # code to populate environment variables needed (for unit testing) | |
| if [ -z "${!1}" ]; then | |
| echo "$1 is not defined. Exiting." | |
| exit | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_package_remove" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function package_remove</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to remove packages on RHEL, Fedora, Debian, and possibly other systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # package_remove telnet-server | |
| # | |
| function package_remove { | |
| # Load function arguments into local variables | |
| local package="$1" | |
| # Check sanity of the input | |
| if [ $# -ne "1" ] | |
| then | |
| echo "Usage: package_remove 'package_name'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| if which dnf ; then | |
| if rpm -q --quiet "$package"; then | |
| dnf remove -y "$package" | |
| fi | |
| elif which yum ; then | |
| if rpm -q --quiet "$package"; then | |
| yum remove -y "$package" | |
| fi | |
| elif which apt-get ; then | |
| apt-get remove -y "$package" | |
| else | |
| echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_perform_audit_rules_privileged_commands_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function perform_audit_rules_privileged_commands_remediation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to perform remediation for 'audit_rules_privileged_commands' rule | |
| # | |
| # Expects two arguments: | |
| # | |
| # audit_tool tool used to load audit rules | |
| # One of 'auditctl' or 'augenrules' | |
| # | |
| # min_auid Minimum original ID the user logged in with | |
| # '500' for RHEL-6 and before, '1000' for RHEL-7 and after. | |
| # | |
| # Example Call(s): | |
| # | |
| # perform_audit_rules_privileged_commands_remediation "auditctl" "500" | |
| # perform_audit_rules_privileged_commands_remediation "augenrules" "1000" | |
| # | |
| function perform_audit_rules_privileged_commands_remediation { | |
| # | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local min_auid="$2" | |
| # Check sanity of the input | |
| if [ $# -ne "2" ] | |
| then | |
| echo "Usage: perform_audit_rules_privileged_commands_remediation 'auditctl | augenrules' '500 | 1000'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| declare -a files_to_inspect=() | |
| # Check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| exit 1 | |
| # If the audit tool is 'auditctl', then: | |
| # * add '/etc/audit/audit.rules'to the list of files to be inspected, | |
| # * specify '/etc/audit/audit.rules' as the output audit file, where | |
| # missing rules should be inserted | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("/etc/audit/audit.rules") | |
| output_audit_file="/etc/audit/audit.rules" | |
| # | |
| # If the audit tool is 'augenrules', then: | |
| # * add '/etc/audit/rules.d/*.rules' to the list of files to be inspected | |
| # (split by newline), | |
| # * specify /etc/audit/rules.d/privileged.rules' as the output file, where | |
| # missing rules should be inserted | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| IFS=$'\n' files_to_inspect=($(find /etc/audit/rules.d -maxdepth 1 -type f -name '*.rules' -print)) | |
| output_audit_file="/etc/audit/rules.d/privileged.rules" | |
| fi | |
| # Obtain the list of SUID/SGID binaries on the particular system (split by newline) | |
| # into privileged_binaries array | |
| IFS=$'\n' privileged_binaries=($(find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null)) | |
| # Keep list of SUID/SGID binaries that have been already handled within some previous iteration | |
| declare -a sbinaries_to_skip=() | |
| # For each found sbinary in privileged_binaries list | |
| for sbinary in "${privileged_binaries[@]}" | |
| do | |
| # Check if this sbinary wasn't already handled in some of the previous iterations | |
| # Return match only if whole sbinary definition matched (not in the case just prefix matched!!!) | |
| if [[ $(sed -ne "\|${sbinary}|p" <<< "${sbinaries_to_skip[*]}") ]] | |
| then | |
| # If so, don't process it second time & go to process next sbinary | |
| continue | |
| fi | |
| # Reset the counter of inspected files when starting to check | |
| # presence of existing audit rule for new sbinary | |
| local count_of_inspected_files=0 | |
| # Define expected rule form for this binary | |
| expected_rule="-a always,exit -F path=${sbinary} -F perm=x -F auid>=${min_auid} -F auid!=unset -k privileged" | |
| # If list of audit rules files to be inspected is empty, just add new rule and move on to next binary | |
| if [[ ${#files_to_inspect[@]} -eq 0 ]]; then | |
| echo "$expected_rule" >> "$output_audit_file" | |
| continue | |
| fi | |
| # Replace possible slash '/' character in sbinary definition so we could use it in sed expressions below | |
| sbinary_esc=${sbinary//$'/'/$'\/'} | |
| # For each audit rules file from the list of files to be inspected | |
| for afile in "${files_to_inspect[@]}" | |
| do | |
| # Search current audit rules file's content for match. Match criteria: | |
| # * existing rule is for the same SUID/SGID binary we are currently processing (but | |
| # can contain multiple -F path= elements covering multiple SUID/SGID binaries) | |
| # * existing rule contains all arguments from expected rule form (though can contain | |
| # them in arbitrary order) | |
| base_search=$(sed -e '/-a always,exit/!d' -e '/-F path='"${sbinary_esc}"'/!d' \ | |
| -e '/-F path=[^[:space:]]\+/!d' -e '/-F perm=.*/!d' \ | |
| -e '/-F auid>='"${min_auid}"'/!d' -e '/-F auid!=\(?:4294967295\|unset\)/!d' \ | |
| -e '/-k privileged/!d' "$afile") | |
| # Increase the count of inspected files for this sbinary | |
| count_of_inspected_files=$((count_of_inspected_files + 1)) | |
| # Require execute access type to be set for existing audit rule | |
| exec_access='x' | |
| # Search current audit rules file's content for presence of rule pattern for this sbinary | |
| if [[ $base_search ]] | |
| then | |
| # Current audit rules file already contains rule for this binary => | |
| # Store the exact form of found rule for this binary for further processing | |
| concrete_rule=$base_search | |
| # Select all other SUID/SGID binaries possibly also present in the found rule | |
| IFS=$'\n' handled_sbinaries=($(grep -o -e "-F path=[^[:space:]]\+" <<< "$concrete_rule")) | |
| IFS=$' ' handled_sbinaries=(${handled_sbinaries[@]//-F path=/}) | |
| # Merge the list of such SUID/SGID binaries found in this iteration with global list ignoring duplicates | |
| sbinaries_to_skip=($(for i in "${sbinaries_to_skip[@]}" "${handled_sbinaries[@]}"; do echo "$i"; done | sort -du)) | |
| # Separate concrete_rule into three sections using hash '#' | |
| # sign as a delimiter around rule's permission section borders | |
| concrete_rule="$(echo "$concrete_rule" | sed -n "s/\(.*\)\+\(-F perm=[rwax]\+\)\+/\1#\2#/p")" | |
| # Split concrete_rule into head, perm, and tail sections using hash '#' delimiter | |
| IFS=$'#' read -r rule_head rule_perm rule_tail <<< "$concrete_rule" | |
| # Extract already present exact access type [r|w|x|a] from rule's permission section | |
| access_type=${rule_perm//-F perm=/} | |
| # Verify current permission access type(s) for rule contain 'x' (execute) permission | |
| if ! grep -q "$exec_access" <<< "$access_type" | |
| then | |
| # If not, append the 'x' (execute) permission to the existing access type bits | |
| access_type="$access_type$exec_access" | |
| # Reconstruct the permissions section for the rule | |
| new_rule_perm="-F perm=$access_type" | |
| # Update existing rule in current audit rules file with the new permission section | |
| sed -i "s#${rule_head}\(.*\)${rule_tail}#${rule_head}${new_rule_perm}${rule_tail}#" "$afile" | |
| fi | |
| # If the required audit rule for particular sbinary wasn't found yet, insert it under following conditions: | |
| # | |
| # * in the "auditctl" mode of operation insert particular rule each time | |
| # (because in this mode there's only one file -- /etc/audit/audit.rules to be inspected for presence of this rule), | |
| # | |
| # * in the "augenrules" mode of operation insert particular rule only once and only in case we have already | |
| # searched all of the files from /etc/audit/rules.d/*.rules location (since that audit rule can be defined | |
| # in any of those files and if not, we want it to be inserted only once into /etc/audit/rules.d/privileged.rules file) | |
| # | |
| elif [ "$tool" == "auditctl" ] || [[ "$tool" == "augenrules" && $count_of_inspected_files -eq "${#files_to_inspect[@]}" ]] | |
| then | |
| # Current audit rules file's content doesn't contain expected rule for this | |
| # SUID/SGID binary yet => append it | |
| echo "$expected_rule" >> "$output_audit_file" | |
| continue | |
| fi | |
| done | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_include_mount_options_functions" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function include_mount_options_functions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function include_mount_options_functions { | |
| : | |
| } | |
| # $1: type of filesystem | |
| # $2: new mount point option | |
| function ensure_mount_option_for_vfstype { | |
| local _vfstype="$1" _new_opt="$2" _vfstype_points=() | |
| _vfstype_points=($(grep -E "[[:space:]]$_vfstype[[:space:]]" /etc/fstab | awk '{print $2}')) | |
| for _vfstype_point in "${_vfstype_points[@]}" | |
| do | |
| ensure_mount_option_in_fstab "$_vfstype_point" "$_new_opt" | |
| done | |
| } | |
| # $1: mount point | |
| # $2: new mount point option | |
| function ensure_mount_option_in_fstab { | |
| local _mount_point="$1" _new_opt="$2" _mount_point_match_regexp="" _previous_mount_opts="" | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$_mount_point")" | |
| if [ $(grep "$_mount_point_match_regexp" /etc/fstab | grep -c "$_new_opt" ) -eq 0 ]; then | |
| _previous_mount_opts=$(grep "$_mount_point_match_regexp" /etc/fstab | awk '{print $4}') | |
| sed -i "s|\(${_mount_point_match_regexp}.*${_previous_mount_opts}\)|\1,${_new_opt}|" /etc/fstab | |
| fi | |
| } | |
| # $1: mount point | |
| function get_mount_point_regexp { | |
| printf "[[:space:]]%s[[:space:]]" "$1" | |
| } | |
| # $1: mount point | |
| function assert_mount_point_in_fstab { | |
| local _mount_point_match_regexp | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$1")" | |
| grep "$_mount_point_match_regexp" -q /etc/fstab \ | |
| || { echo "The mount point '$1' is not even in /etc/fstab, so we can't set up mount options" >&2; return 1; } | |
| } | |
| # $1: mount point | |
| function remove_defaults_from_fstab_if_overriden { | |
| local _mount_point_match_regexp | |
| _mount_point_match_regexp="$(get_mount_point_regexp "$1")" | |
| if $(grep "$_mount_point_match_regexp" /etc/fstab | grep -q "defaults,") | |
| then | |
| sed -i "s|\(${_mount_point_match_regexp}.*\)defaults,|\1|" /etc/fstab | |
| fi | |
| } | |
| # $1: mount point | |
| function ensure_partition_is_mounted { | |
| local _mount_point="$1" | |
| mkdir -p "$_mount_point" || return 1 | |
| if mountpoint -q "$_mount_point"; then | |
| mount -o remount --target "$_mount_point" | |
| else | |
| mount --target "$_mount_point" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_disable_prelink" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function disable_prelink</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function disable_prelink { | |
| # Disable prelinking and don't even check | |
| # whether it is installed. | |
| if grep -q ^PRELINKING /etc/sysconfig/prelink | |
| then | |
| sed -i 's/^PRELINKING[:blank:]*=[:blank:]*[:alpha:]*/PRELINKING=no/' /etc/sysconfig/prelink | |
| else | |
| printf '\n' >> /etc/sysconfig/prelink | |
| printf '%s\n' '# Set PRELINKING=no per security requirements' 'PRELINKING=no' >> /etc/sysconfig/prelink | |
| fi | |
| # Undo previous prelink changes to binaries if prelink is available. | |
| if test -x /usr/sbin/prelink; then | |
| /usr/sbin/prelink -ua | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_die" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function die</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Print a message to stderr and exit the shell | |
| # $1: The message to print. | |
| # $2: The error code (optional, default is 1) | |
| function die { | |
| local _message="$1" _rc="${2:-1}" | |
| printf '%s\n' "$_message" >&2 | |
| exit "$_rc" | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_firefox_cfg_setting" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function firefox_cfg_setting</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting(s) in the Firefox preferences configuration (.cfg) file or add the | |
| # preference if it does not exist. | |
| # | |
| # Expects three arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # | |
| # | |
| # Example Call(s): | |
| # | |
| # Without string or variable: | |
| # firefox_cfg_setting "stig.cfg" "extensions.update.enabled" "false" | |
| # | |
| # With string: | |
| # firefox_cfg_setting "stig.cfg" "security.default_personal_cert" "\"Ask Every Time\"" | |
| # | |
| # With a string variable: | |
| # firefox_cfg_setting "stig.cfg" "browser.startup.homepage\" "\"${var_default_home_page}\"" | |
| # | |
| function firefox_cfg_setting { | |
| local firefox_cfg=$1 | |
| local key=$2 | |
| local value=$3 | |
| local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" | |
| # Check sanity of input | |
| if [ $# -lt "3" ] | |
| then | |
| echo "Usage: firefox_cfg_setting 'config_cfg_file' 'key_to_search' 'new_value'" | |
| echo | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check the possible Firefox install directories | |
| for firefox_dir in ${firefox_dirs}; do | |
| # If the Firefox directory exists, then Firefox is installed | |
| if [ -d "${firefox_dir}" ]; then | |
| # Make sure the Firefox .cfg file exists and has the appropriate permissions | |
| if ! [ -f "${firefox_dir}/${firefox_cfg}" ] ; then | |
| touch "${firefox_dir}/${firefox_cfg}" | |
| chmod 644 "${firefox_dir}/${firefox_cfg}" | |
| fi | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| if LC_ALL=C grep -m 1 -q "^lockPref(\"${key}\", " "${firefox_dir}/${firefox_cfg}"; then | |
| sed -i "s/lockPref(\"${key}\".*/lockPref(\"${key}\", ${value});/g" "${firefox_dir}/${firefox_cfg}" | |
| else | |
| echo "lockPref(\"${key}\", ${value});" >> "${firefox_dir}/${firefox_cfg}" | |
| fi | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function fix_audit_watch_rule</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix audit file system object watch rule for given path: | |
| # * if rule exists, also verifies the -w bits match the requirements | |
| # * if rule doesn't exist yet, appends expected rule form to $files_to_inspect | |
| # audit rules file, depending on the tool which was used to load audit rules | |
| # | |
| # Expects four arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules' | |
| # * path value of -w audit rule's argument | |
| # * required access bits value of -p audit rule's argument | |
| # * key value of -k audit rule's argument | |
| # | |
| # Example call: | |
| # | |
| # fix_audit_watch_rule "auditctl" "/etc/localtime" "wa" "audit_time_rules" | |
| # | |
| function fix_audit_watch_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local path="$2" | |
| local required_access_bits="$3" | |
| local key="$4" | |
| # Check sanity of the input | |
| if [ $# -ne "4" ] | |
| then | |
| echo "Usage: fix_audit_watch_rule 'tool' 'path' 'bits' 'key'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| declare -a files_to_inspect | |
| # Check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| exit 1 | |
| # If the audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # into the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules') | |
| # If the audit is 'augenrules', then check if rule is already defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to list of files for inspection. | |
| # If rule isn't defined, add '/etc/audit/rules.d/$key.rules' to list of files for inspection. | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Case when particular audit rule is already defined in some of /etc/audit/rules.d/*.rules file | |
| # Get pair -- filepath : matching_row into @matches array | |
| IFS=$'\n' matches=($(grep -P "[\s]*-w[\s]+$path" /etc/audit/rules.d/*.rules)) | |
| # Reset IFS back to default | |
| unset IFS | |
| # For each of the matched entries | |
| for match in "${matches[@]}" | |
| do | |
| # Extract filepath from the match | |
| rulesd_audit_file=$(echo $match | cut -f1 -d ':') | |
| # Append that path into list of files for inspection | |
| files_to_inspect=("${files_to_inspect[@]}" "$rulesd_audit_file") | |
| done | |
| # Case when particular audit rule isn't defined yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| # Append '/etc/audit/rules.d/$key.rules' into list of files for inspection | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| # If the $key.rules file doesn't exist yet, create it with correct permissions | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # Finally perform the inspection and possible subsequent audit rule | |
| # correction for each of the files previously identified for inspection | |
| for audit_rules_file in "${files_to_inspect[@]}" | |
| do | |
| # Check if audit watch file system object rule for given path already present | |
| if grep -q -P -- "[\s]*-w[\s]+$path" "$audit_rules_file" | |
| then | |
| # Rule is found => verify yet if existing rule definition contains | |
| # all of the required access type bits | |
| # Escape slashes in path for use in sed pattern below | |
| local esc_path=${path//$'/'/$'\/'} | |
| # Define BRE whitespace class shortcut | |
| local sp="[[:space:]]" | |
| # Extract current permission access types (e.g. -p [r|w|x|a] values) from audit rule | |
| current_access_bits=$(sed -ne "s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p" "$audit_rules_file") | |
| # Split required access bits string into characters array | |
| # (to check bit's presence for one bit at a time) | |
| for access_bit in $(echo "$required_access_bits" | grep -o .) | |
| do | |
| # For each from the required access bits (e.g. 'w', 'a') check | |
| # if they are already present in current access bits for rule. | |
| # If not, append that bit at the end | |
| if ! grep -q "$access_bit" <<< "$current_access_bits" | |
| then | |
| # Concatenate the existing mask with the missing bit | |
| current_access_bits="$current_access_bits$access_bit" | |
| fi | |
| done | |
| # Propagate the updated rule's access bits (original + the required | |
| # ones) back into the /etc/audit/audit.rules file for that rule | |
| sed -i "s/\($sp*-w$sp\+$esc_path$sp\+-p$sp\+\)\([rxwa]\{1,4\}\)\(.*\)/\1$current_access_bits\3/" "$audit_rules_file" | |
| else | |
| # Rule isn't present yet. Append it at the end of $audit_rules_file file | |
| # with proper key | |
| echo "-w $path -p $required_access_bits -k $key" >> "$audit_rules_file" | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_firefox_js_setting" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function firefox_js_setting</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting(s) in the Firefox preferences JavaScript file or add the | |
| # preference if it does not exist. | |
| # | |
| # Expects three arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # | |
| # | |
| # Example Call(s): | |
| # | |
| # Without string or variable: | |
| # firefox_js_setting "stig_settings.js" "general.config.obscure_value" "0" | |
| # | |
| # With string: | |
| # firefox_js_setting "stig_settings.js" "general.config.filename" "\"stig.cfg\"" | |
| # | |
| # With a string variable: | |
| # firefox_js_setting "stig_settings.js" "general.config.filename" "\"$var_config_file_name\"" | |
| # | |
| function firefox_js_setting { | |
| local firefox_js=$1 | |
| local key=$2 | |
| local value=$3 | |
| local firefox_dirs="/usr/lib/firefox /usr/lib64/firefox /usr/local/lib/firefox /usr/local/lib64/firefox" | |
| local firefox_pref="/defaults/pref" | |
| local firefox_preferences="/defaults/preferences" | |
| # Check sanity of input | |
| if [ $# -lt "3" ] | |
| then | |
| echo "Usage: firefox_js_setting 'config_javascript_file' 'key_to_search' 'new_value'" | |
| echo | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check the possible Firefox install directories | |
| for firefox_dir in ${firefox_dirs}; do | |
| # If the Firefox directory exists, then Firefox is installed | |
| if [ -d "${firefox_dir}" ]; then | |
| # Different versions of Firefox have different preferences directories, check for them and set the right one | |
| if [ -d "${firefox_dir}/${firefox_pref}" ] ; then | |
| local firefox_pref_dir="${firefox_dir}/${firefox_pref}" | |
| elif [ -d "${firefox_dir}/${firefox_preferences}" ] ; then | |
| local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | |
| else | |
| mkdir -m 755 -p "${firefox_dir}/${firefox_preferences}" | |
| local firefox_pref_dir="${firefox_dir}/${firefox_preferences}" | |
| fi | |
| # Make sure the Firefox .js file exists and has the appropriate permissions | |
| if ! [ -f "${firefox_pref_dir}/${firefox_js}" ] ; then | |
| touch "${firefox_pref_dir}/${firefox_js}" | |
| chmod 644 "${firefox_pref_dir}/${firefox_js}" | |
| fi | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| if LC_ALL=C grep -m 1 -q "^pref(\"${key}\", " "${firefox_pref_dir}/${firefox_js}"; then | |
| sed -i "s/pref(\"${key}\".*/pref(\"${key}\", ${value});/g" "${firefox_pref_dir}/${firefox_js}" | |
| else | |
| echo "pref(\"${key}\", ${value});" >> "${firefox_pref_dir}/${firefox_js}" | |
| fi | |
| fi | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_replace_or_append" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function replace_or_append</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to replace configuration setting in config file or add the configuration setting if | |
| # it does not exist. | |
| # | |
| # Expects arguments: | |
| # | |
| # config_file: Configuration file that will be modified | |
| # key: Configuration option to change | |
| # value: Value of the configuration option to change | |
| # cce: The CCE identifier or '@CCENUM@' if no CCE identifier exists | |
| # format: The printf-like format string that will be given stripped key and value as arguments, | |
| # so e.g. '%s=%s' will result in key=value subsitution (i.e. without spaces around =) | |
| # | |
| # Optional arugments: | |
| # | |
| # format: Optional argument to specify the format of how key/value should be | |
| # modified/appended in the configuration file. The default is key = value. | |
| # | |
| # Example Call(s): | |
| # | |
| # With default format of 'key = value': | |
| # replace_or_append '/etc/sysctl.conf' '^kernel.randomize_va_space' '2' '@CCENUM@' | |
| # | |
| # With custom key/value format: | |
| # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' 'disabled' '@CCENUM@' '%s=%s' | |
| # | |
| # With a variable: | |
| # replace_or_append '/etc/sysconfig/selinux' '^SELINUX=' $var_selinux_state '@CCENUM@' '%s=%s' | |
| # | |
| function replace_or_append { | |
| local default_format='%s = %s' case_insensitive_mode=yes sed_case_insensitive_option='' grep_case_insensitive_option='' | |
| local config_file=$1 | |
| local key=$2 | |
| local value=$3 | |
| local cce=$4 | |
| local format=$5 | |
| if [ "$case_insensitive_mode" = yes ]; then | |
| sed_case_insensitive_option="i" | |
| grep_case_insensitive_option="-i" | |
| fi | |
| [ -n "$format" ] || format="$default_format" | |
| # Check sanity of the input | |
| [ $# -ge "3" ] || { echo "Usage: replace_or_append <config_file_location> <key_to_search> <new_value> [<CCE number or literal '@CCENUM@' if unknown>] [printf-like format, default is '$default_format']" >&2; exit 1; } | |
| # Test if the config_file is a symbolic link. If so, use --follow-symlinks with sed. | |
| # Otherwise, regular sed command will do. | |
| sed_command=('sed' '-i') | |
| if test -L "$config_file"; then | |
| sed_command+=('--follow-symlinks') | |
| fi | |
| # Test that the cce arg is not empty or does not equal @CCENUM@. | |
| # If @CCENUM@ exists, it means that there is no CCE assigned. | |
| if [ -n "$cce" ] && [ "$cce" != '@CCENUM@' ]; then | |
| cce="CCE-${cce}" | |
| else | |
| cce="CCE" | |
| fi | |
| # Strip any search characters in the key arg so that the key can be replaced without | |
| # adding any search characters to the config file. | |
| stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "$key") | |
| # shellcheck disable=SC2059 | |
| printf -v formatted_output "$format" "$stripped_key" "$value" | |
| # If the key exists, change it. Otherwise, add it to the config_file. | |
| # We search for the key string followed by a word boundary (matched by \>), | |
| # so if we search for 'setting', 'setting2' won't match. | |
| if LC_ALL=C grep -q -m 1 $grep_case_insensitive_option -e "${key}\\>" "$config_file"; then | |
| "${sed_command[@]}" "s/${key}\\>.*/$formatted_output/g$sed_case_insensitive_option" "$config_file" | |
| else | |
| # \n is precaution for case where file ends without trailing newline | |
| printf '\n# Per %s: Set %s in %s\n' "$cce" "$formatted_output" "$config_file" >> "$config_file" | |
| printf '%s\n' "$formatted_output" >> "$config_file" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_service_command" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function service_command</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to enable/disable and start/stop services on RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # service_command enable bluetooth | |
| # service_command disable bluetooth.service | |
| # | |
| # Using xinetd: | |
| # service_command disable rsh.socket xinetd=rsh | |
| # | |
| function service_command { | |
| # Load function arguments into local variables | |
| local service_state=$1 | |
| local service=$2 | |
| local xinetd=$(echo $3 | cut -d'=' -f2) | |
| # Check sanity of the input | |
| if [ $# -lt "2" ] | |
| then | |
| echo "Usage: service_command 'enable/disable' 'service_name.service'" | |
| echo | |
| echo "To enable or disable xinetd services add \'xinetd=service_name\'" | |
| echo "as the last argument" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # If systemctl is installed, use systemctl command; otherwise, use the service/chkconfig commands | |
| if [ -f "/usr/bin/systemctl" ] ; then | |
| service_util="/usr/bin/systemctl" | |
| else | |
| service_util="/sbin/service" | |
| chkconfig_util="/sbin/chkconfig" | |
| fi | |
| # If disable is not specified in arg1, set variables to enable services. | |
| # Otherwise, variables are to be set to disable services. | |
| if [ "$service_state" != 'disable' ] ; then | |
| service_state="enable" | |
| service_operation="start" | |
| chkconfig_state="on" | |
| else | |
| service_state="disable" | |
| service_operation="stop" | |
| chkconfig_state="off" | |
| fi | |
| # If chkconfig_util is not empty, use chkconfig/service commands. | |
| if [ "x$chkconfig_util" != x ] ; then | |
| $service_util $service $service_operation | |
| $chkconfig_util --level 0123456 $service $chkconfig_state | |
| else | |
| $service_util $service_operation $service | |
| $service_util $service_state $service | |
| # The service may not be running because it has been started and failed, | |
| # so let's reset the state so OVAL checks pass. | |
| # Service should be 'inactive', not 'failed' after reboot though. | |
| $service_util reset-failed $service | |
| fi | |
| # Test if local variable xinetd is empty using non-bashism. | |
| # If empty, then xinetd is not being used. | |
| if [ "x$xinetd" != x ] ; then | |
| grep -qi disable /etc/xinetd.d/$xinetd && \ | |
| if [ "$service_operation" = 'disable' ] ; then | |
| sed -i "s/disable.*/disable = no/gI" /etc/xinetd.d/$xinetd | |
| else | |
| sed -i "s/disable.*/disable = yes/gI" /etc/xinetd.d/$xinetd | |
| fi | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_include_set_faillock_option" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function include_set_faillock_option</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function include_set_faillock_option { | |
| : | |
| } | |
| function insert_preauth { | |
| local pam_file="$1" | |
| local option="$2" | |
| local value="$3" | |
| # is auth required pam_faillock.so preauth present? | |
| if grep -qE "^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$" "$pam_file" ; then | |
| # is the option set? | |
| if grep -qE "^\s*auth\s+required\s+pam_faillock\.so\s+preauth.*$option=([0-9]*).*$" "$pam_file" ; then | |
| # just change the value of option to a correct value | |
| sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($option *= *\).*/\1\2$value/" "$pam_file" | |
| # the option is not set. | |
| else | |
| # append the option | |
| sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $option=$value/" "$pam_file" | |
| fi | |
| # auth required pam_faillock.so preauth is not present, insert the whole line | |
| else | |
| sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/i auth required pam_faillock.so preauth silent $option=$value" "$pam_file" | |
| fi | |
| } | |
| function insert_authfail { | |
| local pam_file="$1" | |
| local option="$2" | |
| local value="$3" | |
| # is auth default pam_faillock.so authfail present? | |
| if grep -qE "^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$" "$pam_file" ; then | |
| # is the option set? | |
| if grep -qE "^\s*auth\s+(\[default=die\])\s+pam_faillock\.so\s+authfail.*$option=([0-9]*).*$" "$pam_file" ; then | |
| # just change the value of option to a correct value | |
| sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($option *= *\).*/\1\2$value/" "$pam_file" | |
| # the option is not set. | |
| else | |
| # append the option | |
| sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $option=$value/" "$pam_file" | |
| fi | |
| # auth default pam_faillock.so authfail is not present, insert the whole line | |
| else | |
| sed -i --follow-symlinks "/^auth.*sufficient.*pam_unix.so.*/a auth [default=die] pam_faillock.so authfail $option=$value" "$pam_file" | |
| fi | |
| } | |
| function insert_account { | |
| local pam_file="$1" | |
| if ! grep -qE "^\s*account\s+required\s+pam_faillock\.so.*$" "$pam_file" ; then | |
| sed -E -i --follow-symlinks "/^\s*account\s*required\s*pam_unix.so/i account required pam_faillock.so" "$pam_file" | |
| fi | |
| } | |
| function set_faillock_option { | |
| local pam_file="$1" | |
| local option="$2" | |
| local value="$3" | |
| insert_preauth "$pam_file" "$option" "$value" | |
| insert_authfail "$pam_file" "$option" "$value" | |
| insert_account "$pam_file" | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_package_install" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function package_install</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to install packages on RHEL, Fedora, Debian, and possibly other systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # package_install aide | |
| # | |
| function package_install { | |
| # Load function arguments into local variables | |
| local package="$1" | |
| # Check sanity of the input | |
| if [ $# -ne "1" ] | |
| then | |
| echo "Usage: package_install 'package_name'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| if which dnf ; then | |
| if ! rpm -q --quiet "$package"; then | |
| dnf install -y "$package" | |
| fi | |
| elif which yum ; then | |
| if ! rpm -q --quiet "$package"; then | |
| yum install -y "$package" | |
| fi | |
| elif which apt-get ; then | |
| apt-get install -y "$package" | |
| else | |
| echo "Failed to detect available packaging system, tried dnf, yum and apt-get!" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_fix_audit_syscall_rule" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function fix_audit_syscall_rule</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix syscall audit rule for given system call. It is | |
| # based on example audit syscall rule definitions as outlined in | |
| # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit | |
| # package. It will combine multiple system calls belonging to the same | |
| # syscall group into one audit rule (rather than to create audit rule per | |
| # different system call) to avoid audit infrastructure performance penalty | |
| # in the case of 'one-audit-rule-definition-per-one-system-call'. See: | |
| # | |
| # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | |
| # | |
| # for further details. | |
| # | |
| # Expects five arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules | |
| # * audit rules' pattern audit rule skeleton for same syscall | |
| # * syscall group greatest common string this rule shares | |
| # with other rules from the same group | |
| # * architecture architecture this rule is intended for | |
| # * full form of new rule to add expected full form of audit rule as to be | |
| # added into audit.rules file | |
| # | |
| # Note: The 2-th up to 4-th arguments are used to determine how many existing | |
| # audit rules will be inspected for resemblance with the new audit rule | |
| # (5-th argument) the function is going to add. The rule's similarity check | |
| # is performed to optimize audit.rules definition (merge syscalls of the same | |
| # group into one rule) to avoid the "single-syscall-per-audit-rule" performance | |
| # penalty. | |
| # | |
| # Example call: | |
| # | |
| # See e.g. 'audit_rules_file_deletion_events.sh' remediation script | |
| # | |
| function fix_audit_syscall_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local pattern="$2" | |
| local group="$3" | |
| local arch="$4" | |
| local full_rule="$5" | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # | |
| declare -a files_to_inspect | |
| retval=0 | |
| # First check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| return 1 | |
| # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # file to the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) | |
| # If audit tool is 'augenrules', then check if the audit rule is defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection | |
| # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Extract audit $key from audit rule so we can use it later | |
| key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') | |
| # Check if particular audit rule is already defined | |
| IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| for match in "${matches[@]}" | |
| do | |
| files_to_inspect=("${files_to_inspect[@]}" "${match}") | |
| done | |
| # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # | |
| # Indicator that we want to append $full_rule into $audit_file by default | |
| local append_expected_rule=0 | |
| for audit_file in "${files_to_inspect[@]}" | |
| do | |
| # Filter existing $audit_file rules' definitions to select those that: | |
| # * follow the rule pattern, and | |
| # * meet the hardware architecture requirement, and | |
| # * are current syscall group specific | |
| IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| # Process rules found case-by-case | |
| for rule in "${existing_rules[@]}" | |
| do | |
| # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) | |
| if [ "${rule}" != "${full_rule}" ] | |
| then | |
| # If so, isolate just '(-S \w)+' substring of that rule | |
| rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') | |
| # Check if list of '-S syscall' arguments of that rule is subset | |
| # of '-S syscall' list of expected $full_rule | |
| if grep -q -- "$rule_syscalls" <<< "$full_rule" | |
| then | |
| # Rule is covered (i.e. the list of -S syscalls for this rule is | |
| # subset of -S syscalls of $full_rule => existing rule can be deleted | |
| # Thus delete the rule from audit.rules & our array | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| existing_rules=("${existing_rules[@]//$rule/}") | |
| else | |
| # Rule isn't covered by $full_rule - it besides -S syscall arguments | |
| # for this group contains also -S syscall arguments for other syscall | |
| # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' | |
| # since 'lchown' & 'fchownat' share 'chown' substring | |
| # Therefore: | |
| # * 1) delete the original rule from audit.rules | |
| # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) | |
| # * 2) delete the -S syscall arguments for this syscall group, but | |
| # keep those not belonging to this syscall group | |
| # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' | |
| # * 3) append the modified (filtered) rule again into audit.rules | |
| # if the same rule not already present | |
| # | |
| # 1) Delete the original rule | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # 2) Delete syscalls for this group, but keep those from other groups | |
| # Convert current rule syscall's string into array splitting by '-S' delimiter | |
| IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" | |
| # Reset IFS back to default | |
| unset IFS | |
| # Declare new empty string to hold '-S syscall' arguments from other groups | |
| new_syscalls_for_rule='' | |
| # Walk through existing '-S syscall' arguments | |
| for syscall_arg in "${rule_syscalls_as_array[@]}" | |
| do | |
| # Skip empty $syscall_arg values | |
| if [ "$syscall_arg" == '' ] | |
| then | |
| continue | |
| fi | |
| # If the '-S syscall' doesn't belong to current group add it to the new list | |
| # (together with adding '-S' delimiter back for each of such item found) | |
| if grep -q -v -- "$group" <<< "$syscall_arg" | |
| then | |
| new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" | |
| fi | |
| done | |
| # Replace original '-S syscall' list with the new one for this rule | |
| updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} | |
| # Squeeze repeated whitespace characters in rule definition (if any) into one | |
| updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') | |
| # 3) Append the modified / filtered rule again into audit.rules | |
| # (but only in case it's not present yet to prevent duplicate definitions) | |
| if ! grep -q -- "$updated_rule" "$audit_file" | |
| then | |
| echo "$updated_rule" >> "$audit_file" | |
| fi | |
| fi | |
| else | |
| # $audit_file already contains the expected rule form for this | |
| # architecture & key => don't insert it second time | |
| append_expected_rule=1 | |
| fi | |
| done | |
| # We deleted all rules that were subset of the expected one for this arch & key. | |
| # Also isolated rules containing system calls not from this system calls group. | |
| # Now append the expected rule if it's not present in $audit_file yet | |
| if [[ ${append_expected_rule} -eq "0" ]] | |
| then | |
| echo "$full_rule" >> "$audit_file" | |
| fi | |
| done | |
| return $retval | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_include_dconf_settings" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function include_dconf_settings</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function include_dconf_settings { | |
| : | |
| } | |
| # Function to configure DConf settings for RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # dconf_settings 'org/gnome/login-screen' 'banner-message-enable' 'true' 'local.d' '10-banner' | |
| # | |
| function dconf_settings { | |
| local _path=$1 _key=$2 _value=$3 _db=$4 _settingFile=$5 | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: dconf_settings 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_settingsfile'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check for setting in any of the DConf db directories | |
| SETTINGSFILES=($(grep -r "\[${_path}]" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1)) | |
| DCONFFILE="/etc/dconf/db/${_db}/${_settingFile}" | |
| DBDIR="/etc/dconf/db/${_db}" | |
| mkdir -p "${DBDIR}" | |
| if [[ -z "${SETTINGSFILES[@]}" ]] | |
| then | |
| [ ! -z ${DCONFFILE} ] || $(echo "" >> ${DCONFFILE}) | |
| echo "[${_path}]" >> ${DCONFFILE} | |
| echo "${_key}=${_value}" >> ${DCONFFILE} | |
| else | |
| if grep -q "^(?!#)${_key}" ${SETTINGSFILES[@]} | |
| then | |
| sed -i "s/${_key}\s*=\s*.*/${_key}=${_value}/g" ${SETTINGSFILES[@]} | |
| else | |
| sed -i "\|\[${_path}]|a\\${_key}=${_value}" ${SETTINGSFILES[@]} | |
| fi | |
| fi | |
| dconf update | |
| } | |
| # Function to configure DConf locks for RHEL and Fedora systems. | |
| # | |
| # Example Call(s): | |
| # | |
| # dconf_lock 'org/gnome/login-screen' 'banner-message-enable' 'local.d' 'banner' | |
| # | |
| function dconf_lock { | |
| local _key=$1 _setting=$2 _db=$3 _lockFile=$4 | |
| # Check sanity of the input | |
| if [ $# -ne "4" ] | |
| then | |
| echo "Usage: dconf_lock 'dconf_path' 'dconf_setting' 'dconf_db' 'dconf_lockfile'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Check for setting in any of the DConf db directories | |
| LOCKFILES=$(grep -r "^/${_key}/${_setting}$" "/etc/dconf/db/" | grep -v "distro\|ibus" | cut -d":" -f1) | |
| LOCKSFOLDER="/etc/dconf/db/${_db}/locks" | |
| mkdir -p "${LOCKSFOLDER}" | |
| if [[ -z "${LOCKFILES}" ]] | |
| then | |
| echo "/${_key}/${_setting}" >> "/etc/dconf/db/${_db}/locks/${_lockFile}" | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_perform_audit_adjtimex_settimeofday_stime_remediation" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function perform_audit_adjtimex_settimeofday_stime_remediation</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value># Function to fix syscall audit rule for given system call. It is | |
| # based on example audit syscall rule definitions as outlined in | |
| # /usr/share/doc/audit-2.3.7/stig.rules file provided with the audit | |
| # package. It will combine multiple system calls belonging to the same | |
| # syscall group into one audit rule (rather than to create audit rule per | |
| # different system call) to avoid audit infrastructure performance penalty | |
| # in the case of 'one-audit-rule-definition-per-one-system-call'. See: | |
| # | |
| # https://www.redhat.com/archives/linux-audit/2014-November/msg00009.html | |
| # | |
| # for further details. | |
| # | |
| # Expects five arguments (each of them is required) in the form of: | |
| # * audit tool tool used to load audit rules, | |
| # either 'auditctl', or 'augenrules | |
| # * audit rules' pattern audit rule skeleton for same syscall | |
| # * syscall group greatest common string this rule shares | |
| # with other rules from the same group | |
| # * architecture architecture this rule is intended for | |
| # * full form of new rule to add expected full form of audit rule as to be | |
| # added into audit.rules file | |
| # | |
| # Note: The 2-th up to 4-th arguments are used to determine how many existing | |
| # audit rules will be inspected for resemblance with the new audit rule | |
| # (5-th argument) the function is going to add. The rule's similarity check | |
| # is performed to optimize audit.rules definition (merge syscalls of the same | |
| # group into one rule) to avoid the "single-syscall-per-audit-rule" performance | |
| # penalty. | |
| # | |
| # Example call: | |
| # | |
| # See e.g. 'audit_rules_file_deletion_events.sh' remediation script | |
| # | |
| function fix_audit_syscall_rule { | |
| # Load function arguments into local variables | |
| local tool="$1" | |
| local pattern="$2" | |
| local group="$3" | |
| local arch="$4" | |
| local full_rule="$5" | |
| # Check sanity of the input | |
| if [ $# -ne "5" ] | |
| then | |
| echo "Usage: fix_audit_syscall_rule 'tool' 'pattern' 'group' 'arch' 'full rule'" | |
| echo "Aborting." | |
| exit 1 | |
| fi | |
| # Create a list of audit *.rules files that should be inspected for presence and correctness | |
| # of a particular audit rule. The scheme is as follows: | |
| # | |
| # ----------------------------------------------------------------------------------------- | |
| # Tool used to load audit rules | Rule already defined | Audit rules file to inspect | | |
| # ----------------------------------------------------------------------------------------- | |
| # auditctl | Doesn't matter | /etc/audit/audit.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # augenrules | Yes | /etc/audit/rules.d/*.rules | | |
| # augenrules | No | /etc/audit/rules.d/$key.rules | | |
| # ----------------------------------------------------------------------------------------- | |
| # | |
| declare -a files_to_inspect | |
| retval=0 | |
| # First check sanity of the specified audit tool | |
| if [ "$tool" != 'auditctl' ] && [ "$tool" != 'augenrules' ] | |
| then | |
| echo "Unknown audit rules loading tool: $1. Aborting." | |
| echo "Use either 'auditctl' or 'augenrules'!" | |
| return 1 | |
| # If audit tool is 'auditctl', then add '/etc/audit/audit.rules' | |
| # file to the list of files to be inspected | |
| elif [ "$tool" == 'auditctl' ] | |
| then | |
| files_to_inspect=("${files_to_inspect[@]}" '/etc/audit/audit.rules' ) | |
| # If audit tool is 'augenrules', then check if the audit rule is defined | |
| # If rule is defined, add '/etc/audit/rules.d/*.rules' to the list for inspection | |
| # If rule isn't defined yet, add '/etc/audit/rules.d/$key.rules' to the list for inspection | |
| elif [ "$tool" == 'augenrules' ] | |
| then | |
| # Extract audit $key from audit rule so we can use it later | |
| key=$(expr "$full_rule" : '.*-k[[:space:]]\([^[:space:]]\+\)' '|' "$full_rule" : '.*-F[[:space:]]key=\([^[:space:]]\+\)') | |
| # Check if particular audit rule is already defined | |
| IFS=$'\n' matches=($(sed -s -n -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d;F" /etc/audit/rules.d/*.rules)) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| for match in "${matches[@]}" | |
| do | |
| files_to_inspect=("${files_to_inspect[@]}" "${match}") | |
| done | |
| # Case when particular rule isn't defined in /etc/audit/rules.d/*.rules yet | |
| if [ ${#files_to_inspect[@]} -eq "0" ] | |
| then | |
| files_to_inspect="/etc/audit/rules.d/$key.rules" | |
| if [ ! -e "$files_to_inspect" ] | |
| then | |
| touch "$files_to_inspect" | |
| chmod 0640 "$files_to_inspect" | |
| fi | |
| fi | |
| fi | |
| # | |
| # Indicator that we want to append $full_rule into $audit_file by default | |
| local append_expected_rule=0 | |
| for audit_file in "${files_to_inspect[@]}" | |
| do | |
| # Filter existing $audit_file rules' definitions to select those that: | |
| # * follow the rule pattern, and | |
| # * meet the hardware architecture requirement, and | |
| # * are current syscall group specific | |
| IFS=$'\n' existing_rules=($(sed -e "\;${pattern};!d" -e "/${arch}/!d" -e "/${group}/!d" "$audit_file")) | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # Reset IFS back to default | |
| unset IFS | |
| # Process rules found case-by-case | |
| for rule in "${existing_rules[@]}" | |
| do | |
| # Found rule is for same arch & key, but differs (e.g. in count of -S arguments) | |
| if [ "${rule}" != "${full_rule}" ] | |
| then | |
| # If so, isolate just '(-S \w)+' substring of that rule | |
| rule_syscalls=$(echo $rule | grep -o -P '(-S \w+ )+') | |
| # Check if list of '-S syscall' arguments of that rule is subset | |
| # of '-S syscall' list of expected $full_rule | |
| if grep -q -- "$rule_syscalls" <<< "$full_rule" | |
| then | |
| # Rule is covered (i.e. the list of -S syscalls for this rule is | |
| # subset of -S syscalls of $full_rule => existing rule can be deleted | |
| # Thus delete the rule from audit.rules & our array | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| existing_rules=("${existing_rules[@]//$rule/}") | |
| else | |
| # Rule isn't covered by $full_rule - it besides -S syscall arguments | |
| # for this group contains also -S syscall arguments for other syscall | |
| # group. Example: '-S lchown -S fchmod -S fchownat' => group='chown' | |
| # since 'lchown' & 'fchownat' share 'chown' substring | |
| # Therefore: | |
| # * 1) delete the original rule from audit.rules | |
| # (original '-S lchown -S fchmod -S fchownat' rule would be deleted) | |
| # * 2) delete the -S syscall arguments for this syscall group, but | |
| # keep those not belonging to this syscall group | |
| # (original '-S lchown -S fchmod -S fchownat' would become '-S fchmod' | |
| # * 3) append the modified (filtered) rule again into audit.rules | |
| # if the same rule not already present | |
| # | |
| # 1) Delete the original rule | |
| sed -i -e "\;${rule};d" "$audit_file" | |
| if [ $? -ne 0 ] | |
| then | |
| retval=1 | |
| fi | |
| # 2) Delete syscalls for this group, but keep those from other groups | |
| # Convert current rule syscall's string into array splitting by '-S' delimiter | |
| IFS=$'-S' read -a rule_syscalls_as_array <<< "$rule_syscalls" | |
| # Reset IFS back to default | |
| unset IFS | |
| # Declare new empty string to hold '-S syscall' arguments from other groups | |
| new_syscalls_for_rule='' | |
| # Walk through existing '-S syscall' arguments | |
| for syscall_arg in "${rule_syscalls_as_array[@]}" | |
| do | |
| # Skip empty $syscall_arg values | |
| if [ "$syscall_arg" == '' ] | |
| then | |
| continue | |
| fi | |
| # If the '-S syscall' doesn't belong to current group add it to the new list | |
| # (together with adding '-S' delimiter back for each of such item found) | |
| if grep -q -v -- "$group" <<< "$syscall_arg" | |
| then | |
| new_syscalls_for_rule="$new_syscalls_for_rule -S $syscall_arg" | |
| fi | |
| done | |
| # Replace original '-S syscall' list with the new one for this rule | |
| updated_rule=${rule//$rule_syscalls/$new_syscalls_for_rule} | |
| # Squeeze repeated whitespace characters in rule definition (if any) into one | |
| updated_rule=$(echo "$updated_rule" | tr -s '[:space:]') | |
| # 3) Append the modified / filtered rule again into audit.rules | |
| # (but only in case it's not present yet to prevent duplicate definitions) | |
| if ! grep -q -- "$updated_rule" "$audit_file" | |
| then | |
| echo "$updated_rule" >> "$audit_file" | |
| fi | |
| fi | |
| else | |
| # $audit_file already contains the expected rule form for this | |
| # architecture & key => don't insert it second time | |
| append_expected_rule=1 | |
| fi | |
| done | |
| # We deleted all rules that were subset of the expected one for this arch & key. | |
| # Also isolated rules containing system calls not from this system calls group. | |
| # Now append the expected rule if it's not present in $audit_file yet | |
| if [[ ${append_expected_rule} -eq "0" ]] | |
| then | |
| echo "$full_rule" >> "$audit_file" | |
| fi | |
| done | |
| return $retval | |
| } | |
| # Function to perform remediation for the 'adjtimex', 'settimeofday', and 'stime' audit | |
| # system calls on RHEL, Fedora or OL systems. | |
| # Remediation performed for both possible tools: 'auditctl' and 'augenrules'. | |
| # | |
| # Note: 'stime' system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) | |
| # therefore excluded from the list of time group system calls to be audited on this arch | |
| # | |
| # Example Call: | |
| # | |
| # perform_audit_adjtimex_settimeofday_stime_remediation | |
| # | |
| function perform_audit_adjtimex_settimeofday_stime_remediation { | |
| # Retrieve hardware architecture of the underlying system | |
| [ $(getconf LONG_BIT) = "32" ] && RULE_ARCHS=("b32") || RULE_ARCHS=("b32" "b64") | |
| for ARCH in "${RULE_ARCHS[@]}" | |
| do | |
| PATTERN="-a always,exit -F arch=${ARCH} -S .* -k *" | |
| # Create expected audit group and audit rule form for particular system call & architecture | |
| if [ ${ARCH} = "b32" ] | |
| then | |
| # stime system call is known at 32-bit arch (see e.g "$ ausyscall i386 stime" 's output) | |
| # so append it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\|stime\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -S stime -k audit_time_rules" | |
| elif [ ${ARCH} = "b64" ] | |
| then | |
| # stime system call isn't known at 64-bit arch (see "$ ausyscall x86_64 stime" 's output) | |
| # therefore don't add it to the list of time group system calls to be audited | |
| GROUP="\(adjtimex\|settimeofday\)" | |
| FULL_RULE="-a always,exit -F arch=${ARCH} -S adjtimex -S settimeofday -k audit_time_rules" | |
| fi | |
| # Perform the remediation for both possible tools: 'auditctl' and 'augenrules' | |
| fix_audit_syscall_rule "auditctl" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" | |
| fix_audit_syscall_rule "augenrules" "$PATTERN" "$GROUP" "$ARCH" "$FULL_RULE" | |
| done | |
| } | |
| </value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_function_set_faillock_option_to_value_in_pam_file" hidden="true" prohibitChanges="true" operator="equals" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Remediation function set_faillock_option_to_value_in_pam_file</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Shared bash remediation function. Not intended to be changed by tailoring.</description> | |
| <value>function set_faillock_option_to_value_in_pam_file { | |
| # If invoked with no arguments, exit. This is an intentional behavior. | |
| [ $# -gt 1 ] || return 0 | |
| [ $# -ge 3 ] || die "$0 requires exactly zero, three, or four arguments" | |
| [ $# -le 4 ] || die "$0 requires exactly zero, three, or four arguments" | |
| local _pamFile="$1" _option="$2" _value="$3" _insert_lines_callback="$4" | |
| # pam_faillock.so already present? | |
| if grep -q "^auth.*pam_faillock.so.*" "$_pamFile"; then | |
| # pam_faillock.so present, is the option present? | |
| if grep -q "^auth.*[default=die].*pam_faillock.so.*authfail.*$_option=" "$_pamFile"; then | |
| # both pam_faillock.so & option present, just correct option to the right value | |
| sed -i --follow-symlinks "s/\(^auth.*required.*pam_faillock.so.*preauth.*silent.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" | |
| sed -i --follow-symlinks "s/\(^auth.*[default=die].*pam_faillock.so.*authfail.*\)\($_option *= *\).*/\1\2$_value/" "$_pamFile" | |
| # pam_faillock.so present, but the option not yet | |
| else | |
| # append correct option value to appropriate places | |
| sed -i --follow-symlinks "/^auth.*required.*pam_faillock.so.*preauth.*silent.*/ s/$/ $_option=$_value/" "$_pamFile" | |
| sed -i --follow-symlinks "/^auth.*[default=die].*pam_faillock.so.*authfail.*/ s/$/ $_option=$_value/" "$_pamFile" | |
| fi | |
| # pam_faillock.so not present yet | |
| else | |
| test -z "$_insert_lines_callback" || "$_insert_lines_callback" "$_option" "$_value" "$_pamFile" | |
| # insert pam_faillock.so preauth & authfail rows with proper value of the option in question | |
| fi | |
| } | |
| </value> | |
| </Value> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Introduction</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The purpose of this guidance is to provide security configuration | |
| recommendations and baselines for the Red Hat Enterprise Linux 7 operating | |
| system. Recommended settings for the basic operating system are provided, | |
| as well as for many network services that the system can provide to other systems. | |
| The guide is intended for system administrators. Readers are assumed to | |
| possess basic system administration skills for Unix-like systems, as well | |
| as some familiarity with the product's documentation and administration | |
| conventions. Some instructions within this guide are complex. | |
| All directions should be followed completely and with understanding of | |
| their effects in order to avoid serious adverse effects on the system | |
| and its security.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_how-to-use"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">How to Use This Guide</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Readers should heed the following points when using the guide.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Read Sections Completely and in Order</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Each section may build on information and recommendations discussed in | |
| prior sections. Each section should be read and understood completely; | |
| instructions should never be blindly applied. Relevant discussion may | |
| occur after instructions for an action.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Root Shell Environment Assumed</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Most of the actions listed in this document are written with the | |
| assumption that they will be executed by the root user running the | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">/bin/bash</html:code> shell. Commands preceded with a hash mark (#) | |
| assume that the administrator will execute the commands as root, i.e. | |
| apply the command via <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> whenever possible, or use | |
| <html:code xmlns:html="http://www.w3.org/1999/xhtml">su</html:code> to gain root privileges if <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> cannot be | |
| used. Commands which can be executed as a non-root user are are preceded | |
| by a dollar sign ($) prompt.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-reboot-required"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Reboot Required</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">A system reboot is implicitly required after some actions in order to | |
| complete the reconfiguration of the system. In many cases, the changes | |
| will not take effect until a reboot is performed. In order to ensure | |
| that changes are applied properly and to test functionality, always | |
| reboot the system after applying a set of recommendations from this guide.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-test-non-production"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Test in Non-Production Environment</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">This guidance should always be tested in a non-production environment | |
| before deployment. This test environment should simulate the setup in | |
| which the system will be deployed as closely as possible.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Formatting Conventions</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Commands intended for shell execution, as well as configuration file text, | |
| are featured in a <html:code xmlns:html="http://www.w3.org/1999/xhtml">monospace font</html:code>. <html:i xmlns:html="http://www.w3.org/1999/xhtml">Italics</html:i> are used | |
| to indicate instances where the system administrator must substitute | |
| the appropriate information into a command or configuration file.</description> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_general-principles"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">General Principles</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The following general principles motivate much of the advice in this | |
| guide and should also influence any configuration decisions that are | |
| not explicitly covered.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-least-privilege"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Least Privilege</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Grant the least privilege necessary for user accounts and software to perform tasks. | |
| For example, <html:code xmlns:html="http://www.w3.org/1999/xhtml">sudo</html:code> can be implemented to limit authorization to super user | |
| accounts on the system only to designated personnel. Another example is to limit | |
| logins on server systems to only those administrators who need to log into them in | |
| order to perform administration tasks. Using SELinux also follows the principle of | |
| least privilege: SELinux policy can confine software to perform only actions on the | |
| system that are specifically allowed. This can be far more restrictive than the | |
| actions permissible by the traditional Unix permissions model.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-separate-servers"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Run Different Network Services on Separate Systems</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Whenever possible, a server should be dedicated to serving exactly one | |
| network service. This limits the number of other services that can | |
| be compromised in the event that an attacker is able to successfully | |
| exploit a software flaw in one network service.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure Security Tools to Improve System Robustness</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Several tools exist which can be effectively used to improve a system's | |
| resistance to and detection of unknown attacks. These tools can improve | |
| robustness against attack at the cost of relatively little configuration | |
| effort. In particular, this guide recommends and discusses the use of | |
| host-based firewalling, SELinux for protection against | |
| vulnerable services, and a logging and auditing infrastructure for | |
| detection of problems.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-minimize-software"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Minimize Software to Minimize Vulnerability</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">The simplest way to avoid vulnerabilities in software is to avoid | |
| installing that software. On Red Hat Enterprise Linux 7,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM) | |
| allows for careful management of | |
| the set of software packages installed on a system. Installed software | |
| contributes to system vulnerability in several ways. Packages that | |
| include setuid programs may provide local attackers a potential path to | |
| privilege escalation. Packages that include network services may give | |
| this opportunity to network-based attackers. Packages that include | |
| programs which are predictably executed by local users (e.g. after | |
| graphical login) may provide opportunities for trojan horses or other | |
| attack code to be run undetected. The number of software packages | |
| installed on a system can almost always be significantly pruned to include | |
| only the software for which there is an environmental or operational need.</description> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Data transmitted over a network, whether wired or wireless, is susceptible | |
| to passive monitoring. Whenever practical solutions for encrypting | |
| such data exist, they should be applied. Even if data is expected to | |
| be transmitted only over a local network, it should still be encrypted. | |
| Encrypting authentication data, such as passwords, is particularly | |
| important. Networks of Red Hat Enterprise Linux 7 machines can and should be configured | |
| so that no unencrypted authentication data is ever transmitted between | |
| machines.</description> | |
| </Group> | |
| </Group> | |
| </Group> | |
| <Group id="xccdf_org.ssgproject.content_group_system"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">System Settings</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Contains rules that check correct system settings.</description> | |
| <Group id="xccdf_org.ssgproject.content_group_selinux"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux is a feature of the Linux kernel which can be | |
| used to guard against misconfigured or compromised programs. | |
| SELinux enforces the idea that programs should be limited in what | |
| files they can access and what actions they can take. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| The default SELinux policy, as configured on Red Hat Enterprise Linux 7, has been | |
| sufficiently developed and debugged that it should be usable on | |
| almost any Red Hat system with minimal configuration and a small | |
| amount of system administrator training. This policy prevents | |
| system services - including most of the common network-visible | |
| services such as mail servers, FTP servers, and DNS servers - from | |
| accessing files which those services have no valid reason to | |
| access. This action alone prevents a huge amount of possible damage | |
| from network attacks against services, from trojaned software, and | |
| so forth. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| This guide recommends that SELinux be enabled using the | |
| default (targeted) policy on every Red Hat system, unless that | |
| system has unusual requirements which make a stronger policy | |
| appropriate. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/><html:br xmlns:html="http://www.w3.org/1999/xhtml"/> | |
| For more information on SELinux, see <html:b xmlns:html="http://www.w3.org/1999/xhtml"><html:a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide</html:a></html:b>.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinux_state" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux state</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">enforcing - SELinux security policy is enforced. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>permissive - SELinux prints warnings instead of enforcing. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>disabled - SELinux is fully disabled.</description> | |
| <value>enforcing</value> | |
| <value selector="disabled">disabled</value> | |
| <value selector="enforcing">enforcing</value> | |
| <value selector="permissive">permissive</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinux_policy_name" type="string"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux policy</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Type of policy in use. Possible values are: | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>targeted - Only targeted network daemons are protected. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>strict - Full SELinux protection. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>mls - Multiple levels of security</description> | |
| <value>targeted</value> | |
| <value selector="mls">mls</value> | |
| <value selector="targeted">targeted</value> | |
| </Value> | |
| <Group id="xccdf_org.ssgproject.content_group_selinux-booleans"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">SELinux - Booleans</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable or Disable runtime customization of SELinux system policies | |
| without having to reload or recompile the SELinux policy.</description> | |
| <Value id="xccdf_org.ssgproject.content_value_var_fips_mode" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fips_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gluster_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gluster_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_session_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">condor_tcp_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">antivirus_can_scan_system SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_abrt_upload_watch_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">abrt_upload_watch_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_cgi" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_enable_cgi SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_minidlna_read_generic_user_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">minidlna_read_generic_user_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gpg_web_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gpg_web_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_openvpn_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">openvpn_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ssh_sysadm_login" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ssh_sysadm_login SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logging_syslogd_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_bind_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_ftp" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_connect_ftp SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_secure_mode_policyload" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">secure_mode_policyload SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_irssi_use_full_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">irssi_use_full_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_samba" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_write_home" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_write_home SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_staff_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">staff_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_irc_use_any_tcp_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">irc_use_any_tcp_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_piranha_lvs_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">piranha_lvs_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_run_ipa" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_run_ipa SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cobbler_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cobbler_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_webadm_manage_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">webadm_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_cobbler" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_connect_cobbler SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">secure_mode_insmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_share_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_share_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_udp_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_udp_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_share_music" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_share_music SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nscd_use_shm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nscd_use_shm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">daemons_enable_cluster_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gitosis_can_sendmail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gitosis_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logrotate_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logrotate_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fenced_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_verify_dns" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_verify_dns SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_load_libgfapi" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_load_libgfapi SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_samba" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sanlock_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_run_nagios_plugins" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logging_syslogd_run_nagios_plugins SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_kerberos_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">kerberos_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">lsmd_plugin_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pcp_read_generic_logs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pcp_read_generic_logs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_unconfined_login" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">unconfined_login SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dbadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dbadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_rawip" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_rawip SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_unified" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_unified SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_secure_mode" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">secure_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_execheap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sge_domain_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_users_ddl" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_users_ddl SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_swift_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">swift_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_dbus_avahi" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_dbus_avahi SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_awstats_purge_apache_log_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">awstats_purge_apache_log_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_daemons_use_tcp_wrapper" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">daemons_use_tcp_wrapper SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_create_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_create_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_passive_mode" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_passive_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xserver_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xserver_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_portmapper" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_portmapper SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_connect_all_unreserved" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_connect_all_unreserved SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mcelog_client" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mcelog_client SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_exim_can_connect_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">exim_can_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logging_syslogd_use_tty SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mcelog_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mcelog_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pppd_for_user" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pppd_for_user SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cvs_read_shadow" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cvs_read_shadow SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_nfs_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_nfs_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_run_stickshift" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_run_stickshift SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_memcache SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zabbix_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zabbix_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_secadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">secadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_exim_read_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">exim_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mpd_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_transition_userdomain" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_transition_userdomain SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_abrt_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">abrt_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_varnishd_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">varnishd_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pppd_can_insmod" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pppd_can_insmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_builtin_scripting" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_builtin_scripting SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_tcp_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_tcp_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_pcp_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">pcp_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_glance_use_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">glance_use_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xserver_object_manager" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xserver_object_manager SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_tty_comm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_tty_comm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_serve_cobbler_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_serve_cobbler_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nagios_run_sudo" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nagios_run_sudo SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_enable_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_enable_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_use_ssh_chroot SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_mod_auth_pam SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_fusefs_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_fusefs_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_connect_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_connect_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_domain_controller" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_domain_controller SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_icecast_use_any_tcp_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">icecast_use_any_tcp_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cron_system_cronjob_use_shares" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cron_system_cronjob_use_shares SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execmod" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_execmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zebra_write_config" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zebra_write_config SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_use_bluejeans SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cobbler_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cobbler_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_manage_ipa" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_manage_ipa SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mock_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mock_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nagios_run_pnp4nagios SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_transmit_client_label SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_sanlock" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_sanlock SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postfix_local_write_mail_spool SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cluster_manage_all_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cluster_manage_all_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_system_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_system_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mysql_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mysql_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_openstack" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_openstack SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zarafa_setrlimit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xend_run_qemu" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xend_run_qemu SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_xserver" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_xserver SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_postgresql_connect_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_postgresql_connect_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mpd_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_docker_transition_unconfined" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">docker_transition_unconfined SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sysadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sysadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tor_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tor_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_session_users" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_session_users SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_deny_ptrace" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">deny_ptrace SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_exec_bootloader" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_exec_bootloader SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nfs_export_all_ro" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nfs_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gssd_read_tmp SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_run_unconfined" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_run_unconfined SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_sasl" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_sasl SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_neutron_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">neutron_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_dbus_sssd SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_graceful_shutdown SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_lpd_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_lpd_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nfs_export_all_rw" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nfs_export_all_rw SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_netlink" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_netlink SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_domain_fd_use" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">domain_fd_use SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mmap_low_allowed" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mmap_low_allowed SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_rw_noexattrfile" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_rw_noexattrfile SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ssh_keysign" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ssh_keysign SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_enable_ftp_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ksmtuned_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_unconfined_mozilla_plugin_transition" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">unconfined_mozilla_plugin_transition SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_ldap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_connect_ldap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mcelog_exec_scripts" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mcelog_exec_scripts SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tmpreaper_use_samba" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tmpreaper_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cron_userdomain_transition" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cron_userdomain_transition SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_samba" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_mount_media" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_mount_media SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_relay SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_cgi_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_cgi_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_deny_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">deny_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tor_can_network_relay" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tor_can_network_relay SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_all_caps SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_run_preupgrade" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_run_preupgrade SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_sysadm_login" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_sysadm_login SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sanlock_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_read_qemu_ga_data" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_read_qemu_ga_data SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ssh_chroot_rw_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ssh_chroot_rw_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_puppetagent_manage_all_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">puppetagent_manage_all_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">puppetmaster_use_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zoneminder_run_sudo" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zoneminder_run_sudo SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execstack" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_execstack SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_audit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_audit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_smartmon_3ware" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">smartmon_3ware SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_read_user_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_read_user_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_user_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">user_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_authlogin_radius" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">authlogin_radius SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_system_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_system_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_ping SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_direct_dri_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_mythtv" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_connect_mythtv SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_privoxy_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">privoxy_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_squid_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">squid_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dbadm_read_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dbadm_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cluster_use_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cluster_use_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tftp_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tftp_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sge_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sge_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cron_can_relabel" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cron_can_relabel SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_session_users" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_session_users SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cobbler_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cobbler_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_rw_qemu_ga_data" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_rw_qemu_ga_data SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_setrlimit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_setrlimit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_telepathy_tcp_connect_generic_network_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">telepathy_tcp_connect_generic_network_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_full_access" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_full_access SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_named_tcp_bind_http_port" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">named_tcp_bind_http_port SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_collectd_tcp_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">collectd_tcp_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_write_ssh_home" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_write_ssh_home SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">spamd_enable_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_openvpn_run_unconfined" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">openvpn_run_unconfined SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_auditadm_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">auditadm_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_named_write_master_zones" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">named_write_master_zones SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_mysql_connect_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">selinuxuser_mysql_connect_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_ssi_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_smbd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">smbd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_telepathy_connect_all_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">telepathy_connect_all_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_client" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_client SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_mknod" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_mknod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">saslauthd_read_shadow SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gluster_export_all_rw" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gluster_export_all_rw SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_connect_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dbadm_manage_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dbadm_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_webadm_read_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">webadm_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_cgi_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_cgi_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_gluster_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">gluster_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_global_ssp" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">global_ssp SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xserver_clients_write_xshm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xserver_clients_write_xshm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_full_access" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_full_access SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nfsd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nfsd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_sys_script_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_sys_script_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_read_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_read_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_check_spam" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_check_spam SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_spice" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_use_spice SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_spamassassin_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">spamassassin_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_daemons_dump_core" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">daemons_dump_core SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_domain_kernel_load_modules" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">domain_kernel_load_modules SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_usb" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_usb SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_entropyd_use_audio" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">entropyd_use_audio SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_system_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_system_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_export_all_rw" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_export_all_rw SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_unprivuser_use_svirt" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">unprivuser_use_svirt SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_unconfined_dbadm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_selinux_unconfined_dbadm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mailman_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mailman_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_nis_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">nis_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_exim_manage_user_files" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">exim_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dhcpd_use_ldap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_glance_api_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">glance_api_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_antivirus_use_jit" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">antivirus_use_jit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_abrt_handle_event" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">abrt_handle_event SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_gps" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mozilla_plugin_use_gps SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">git_cgi_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_ecryptfs_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_ecryptfs_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_session_bind_all_unreserved_ports" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_session_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_unconfined_chrome_sandbox_transition" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">unconfined_chrome_sandbox_transition SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_boinc_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">boinc_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_prosody_bind_http_port" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">prosody_bind_http_port SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tftp_home_dir" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tftp_home_dir SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xen_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xen_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_racoon_read_shadow" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">racoon_read_shadow SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cdrecord_read_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cdrecord_read_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_authlogin_nsswitch_use_ldap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">authlogin_nsswitch_use_ldap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_mod_auth_ntlm_winbind SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_db" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_fenced_can_ssh" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fenced_can_ssh SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xguest_use_bluetooth" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xguest_use_bluetooth SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_guest_exec_content" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">guest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_haproxy_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">haproxy_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ksmtuned_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_zabbix" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_connect_zabbix SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_postgresql_can_rsync" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">postgresql_can_rsync SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_docker_connect_any" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">docker_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_wine_mmap_zero_ignore" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">wine_mmap_zero_ignore SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_daemons_use_tty" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">daemons_use_tty SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cobbler_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cobbler_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_connect_all_unreserved SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">dhcpc_exec_iptables SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_use_gpg" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_use_gpg SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cups_execmem" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cups_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_authlogin_yubikey" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">authlogin_yubikey SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_use_samba_home_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">use_samba_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_fcron_crond" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">fcron_crond SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_tmp_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xdm_bind_vnc_tcp_port" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xdm_bind_vnc_tcp_port SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_dontaudit_search_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_glance_use_fusefs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">glance_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_openshift_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">openshift_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_squid_use_tproxy" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">squid_use_tproxy SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mcelog_foreground" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mcelog_foreground SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftp_home_dir" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftp_home_dir SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_samba_share_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">samba_share_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_use_comm" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_use_comm SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">ftpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polyinstantiation_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_staff_use_svirt" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">staff_use_svirt SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_conman_can_network" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">conman_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_openvpn_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">openvpn_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mplayer_execstack" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mplayer_execstack SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sftpd_enable_homedirs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sftpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_rsync_full_access" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">rsync_full_access SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">sanlock_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_zoneminder_anon_write" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">zoneminder_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_logwatch_can_network_connect_mail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">logwatch_can_network_connect_mail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mpd_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_xend_run_blktap" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">xend_run_blktap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_login_console_enabled" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">login_console_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_tmpreaper_use_nfs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">tmpreaper_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_mount_anyfile" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">mount_anyfile SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>true</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_httpd_can_sendmail" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">httpd_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_polipo_use_cifs" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">polipo_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">virt_sandbox_use_sys_admin SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_cluster_can_network_connect" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">cluster_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Value id="xccdf_org.ssgproject.content_value_var_kdumpgui_run_bootloader" type="boolean"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">kdumpgui_run_bootloader SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">default - Default SELinux boolean setting. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>on - SELinux boolean is enabled. | |
| <html:br xmlns:html="http://www.w3.org/1999/xhtml"/>off - SELinux boolean is disabled.</description> | |
| <value>false</value> | |
| <value selector="off">false</value> | |
| <value selector="on">true</value> | |
| </Value> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_dbus_sssd" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_dbus_sssd SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_dbus_sssd</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_dbus_sssd</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_dbus_sssd off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_dbus_sssd" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_dbus_sssd="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd" use="legacy"/>" | |
| setsebool -P httpd_dbus_sssd $var_httpd_dbus_sssd | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_dbus_sssd" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_dbus_sssd # promote to variable | |
| set_fact: | |
| var_httpd_dbus_sssd: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_dbus_sssd accordingly | |
| seboolean: | |
| name: httpd_dbus_sssd | |
| state: "{{ var_httpd_dbus_sssd }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_dbus_sssd | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_dbus_sssd:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_dbus_sssd:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_dbus_sssd_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_fenced_can_ssh" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the fenced_can_ssh SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">fenced_can_ssh</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">fenced_can_ssh</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P fenced_can_ssh off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fenced_can_ssh" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_fenced_can_ssh="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fenced_can_ssh" use="legacy"/>" | |
| setsebool -P fenced_can_ssh $var_fenced_can_ssh | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fenced_can_ssh" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_fenced_can_ssh # promote to variable | |
| set_fact: | |
| var_fenced_can_ssh: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fenced_can_ssh" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean fenced_can_ssh accordingly | |
| seboolean: | |
| name: fenced_can_ssh | |
| state: "{{ var_fenced_can_ssh }}" | |
| persistent: yes | |
| tags: | |
| - sebool_fenced_can_ssh | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_fenced_can_ssh:var:1" value-id="xccdf_org.ssgproject.content_value_var_fenced_can_ssh"/> | |
| <check-content-ref name="oval:ssg-sebool_fenced_can_ssh:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_fenced_can_ssh_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_execmod" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the selinuxuser_execmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">selinuxuser_execmod</html:code> is enabled. | |
| If this setting is disabled, it should be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">selinuxuser_execmod</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P selinuxuser_execmod on</html:pre></description> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</reference> | |
| <reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_selinuxuser_execmod" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_selinuxuser_execmod="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execmod" use="legacy"/>" | |
| setsebool -P selinuxuser_execmod $var_selinuxuser_execmod | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_selinuxuser_execmod" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_selinuxuser_execmod # promote to variable | |
| set_fact: | |
| var_selinuxuser_execmod: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execmod" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean selinuxuser_execmod accordingly | |
| seboolean: | |
| name: selinuxuser_execmod | |
| state: "{{ var_selinuxuser_execmod }}" | |
| persistent: yes | |
| tags: | |
| - sebool_selinuxuser_execmod | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_selinuxuser_execmod:var:1" value-id="xccdf_org.ssgproject.content_value_var_selinuxuser_execmod"/> | |
| <check-content-ref name="oval:ssg-sebool_selinuxuser_execmod:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_selinuxuser_execmod_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_virt_use_rawip" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the virt_use_rawip SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_use_rawip</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_use_rawip</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P virt_use_rawip off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_use_rawip" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_virt_use_rawip="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_use_rawip" use="legacy"/>" | |
| setsebool -P virt_use_rawip $var_virt_use_rawip | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_use_rawip" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_virt_use_rawip # promote to variable | |
| set_fact: | |
| var_virt_use_rawip: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_use_rawip" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean virt_use_rawip accordingly | |
| seboolean: | |
| name: virt_use_rawip | |
| state: "{{ var_virt_use_rawip }}" | |
| persistent: yes | |
| tags: | |
| - sebool_virt_use_rawip | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_virt_use_rawip:var:1" value-id="xccdf_org.ssgproject.content_value_var_virt_use_rawip"/> | |
| <check-content-ref name="oval:ssg-sebool_virt_use_rawip:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_virt_use_rawip_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mcelog_client" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mcelog_client SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mcelog_client</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mcelog_client</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mcelog_client off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mcelog_client" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mcelog_client="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mcelog_client" use="legacy"/>" | |
| setsebool -P mcelog_client $var_mcelog_client | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mcelog_client" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mcelog_client # promote to variable | |
| set_fact: | |
| var_mcelog_client: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mcelog_client" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mcelog_client accordingly | |
| seboolean: | |
| name: mcelog_client | |
| state: "{{ var_mcelog_client }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mcelog_client | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mcelog_client:var:1" value-id="xccdf_org.ssgproject.content_value_var_mcelog_client"/> | |
| <check-content-ref name="oval:ssg-sebool_mcelog_client:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mcelog_client_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_saslauthd_read_shadow" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the saslauthd_read_shadow SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">saslauthd_read_shadow</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">saslauthd_read_shadow</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P saslauthd_read_shadow off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_saslauthd_read_shadow" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_saslauthd_read_shadow="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow" use="legacy"/>" | |
| setsebool -P saslauthd_read_shadow $var_saslauthd_read_shadow | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_saslauthd_read_shadow" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_saslauthd_read_shadow # promote to variable | |
| set_fact: | |
| var_saslauthd_read_shadow: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean saslauthd_read_shadow accordingly | |
| seboolean: | |
| name: saslauthd_read_shadow | |
| state: "{{ var_saslauthd_read_shadow }}" | |
| persistent: yes | |
| tags: | |
| - sebool_saslauthd_read_shadow | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_saslauthd_read_shadow:var:1" value-id="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow"/> | |
| <check-content-ref name="oval:ssg-sebool_saslauthd_read_shadow:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_saslauthd_read_shadow_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_cron_can_relabel" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the cron_can_relabel SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron_can_relabel</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">cron_can_relabel</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P cron_can_relabel off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cron_can_relabel" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_cron_can_relabel="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cron_can_relabel" use="legacy"/>" | |
| setsebool -P cron_can_relabel $var_cron_can_relabel | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cron_can_relabel" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_cron_can_relabel # promote to variable | |
| set_fact: | |
| var_cron_can_relabel: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cron_can_relabel" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean cron_can_relabel accordingly | |
| seboolean: | |
| name: cron_can_relabel | |
| state: "{{ var_cron_can_relabel }}" | |
| persistent: yes | |
| tags: | |
| - sebool_cron_can_relabel | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_cron_can_relabel:var:1" value-id="xccdf_org.ssgproject.content_value_var_cron_can_relabel"/> | |
| <check-content-ref name="oval:ssg-sebool_cron_can_relabel:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_cron_can_relabel_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_daemons_enable_cluster_mode" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the daemons_enable_cluster_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">daemons_enable_cluster_mode</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">daemons_enable_cluster_mode</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P daemons_enable_cluster_mode off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_daemons_enable_cluster_mode" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_daemons_enable_cluster_mode="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode" use="legacy"/>" | |
| setsebool -P daemons_enable_cluster_mode $var_daemons_enable_cluster_mode | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_daemons_enable_cluster_mode" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_daemons_enable_cluster_mode # promote to variable | |
| set_fact: | |
| var_daemons_enable_cluster_mode: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean daemons_enable_cluster_mode accordingly | |
| seboolean: | |
| name: daemons_enable_cluster_mode | |
| state: "{{ var_daemons_enable_cluster_mode }}" | |
| persistent: yes | |
| tags: | |
| - sebool_daemons_enable_cluster_mode | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_daemons_enable_cluster_mode:var:1" value-id="xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode"/> | |
| <check-content-ref name="oval:ssg-sebool_daemons_enable_cluster_mode:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_daemons_enable_cluster_mode_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_gssd_read_tmp" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the gssd_read_tmp SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">gssd_read_tmp</html:code> is enabled. | |
| This setting allows <html:code xmlns:html="http://www.w3.org/1999/xhtml">gssd</html:code> processes to access Kerberos to read | |
| TGTs in the temp directory. If this setting is disabled, it should | |
| be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">gssd_read_tmp</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P gssd_read_tmp on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_gssd_read_tmp" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_gssd_read_tmp="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" use="legacy"/>" | |
| setsebool -P gssd_read_tmp $var_gssd_read_tmp | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_gssd_read_tmp" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_gssd_read_tmp # promote to variable | |
| set_fact: | |
| var_gssd_read_tmp: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean gssd_read_tmp accordingly | |
| seboolean: | |
| name: gssd_read_tmp | |
| state: "{{ var_gssd_read_tmp }}" | |
| persistent: yes | |
| tags: | |
| - sebool_gssd_read_tmp | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_gssd_read_tmp:var:1" value-id="xccdf_org.ssgproject.content_value_var_gssd_read_tmp"/> | |
| <check-content-ref name="oval:ssg-sebool_gssd_read_tmp:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_gssd_read_tmp_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_pppd_for_user" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the pppd_for_user SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">pppd_for_user</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pppd_for_user</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P pppd_for_user off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_pppd_for_user" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_pppd_for_user="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pppd_for_user" use="legacy"/>" | |
| setsebool -P pppd_for_user $var_pppd_for_user | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_pppd_for_user" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_pppd_for_user # promote to variable | |
| set_fact: | |
| var_pppd_for_user: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pppd_for_user" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean pppd_for_user accordingly | |
| seboolean: | |
| name: pppd_for_user | |
| state: "{{ var_pppd_for_user }}" | |
| persistent: yes | |
| tags: | |
| - sebool_pppd_for_user | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_pppd_for_user:var:1" value-id="xccdf_org.ssgproject.content_value_var_pppd_for_user"/> | |
| <check-content-ref name="oval:ssg-sebool_pppd_for_user:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_pppd_for_user_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_xend_run_qemu" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the xend_run_qemu SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">xend_run_qemu</html:code> is enabled. | |
| If this setting is disabled, it should be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">xend_run_qemu</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P xend_run_qemu on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xend_run_qemu" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_xend_run_qemu="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xend_run_qemu" use="legacy"/>" | |
| setsebool -P xend_run_qemu $var_xend_run_qemu | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xend_run_qemu" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_xend_run_qemu # promote to variable | |
| set_fact: | |
| var_xend_run_qemu: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xend_run_qemu" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean xend_run_qemu accordingly | |
| seboolean: | |
| name: xend_run_qemu | |
| state: "{{ var_xend_run_qemu }}" | |
| persistent: yes | |
| tags: | |
| - sebool_xend_run_qemu | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_xend_run_qemu:var:1" value-id="xccdf_org.ssgproject.content_value_var_xend_run_qemu"/> | |
| <check-content-ref name="oval:ssg-sebool_xend_run_qemu:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_xend_run_qemu_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_cups_execmem" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the cups_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">cups_execmem</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">cups_execmem</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P cups_execmem off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cups_execmem" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_cups_execmem="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cups_execmem" use="legacy"/>" | |
| setsebool -P cups_execmem $var_cups_execmem | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cups_execmem" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_cups_execmem # promote to variable | |
| set_fact: | |
| var_cups_execmem: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cups_execmem" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean cups_execmem accordingly | |
| seboolean: | |
| name: cups_execmem | |
| state: "{{ var_cups_execmem }}" | |
| persistent: yes | |
| tags: | |
| - sebool_cups_execmem | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_cups_execmem:var:1" value-id="xccdf_org.ssgproject.content_value_var_cups_execmem"/> | |
| <check-content-ref name="oval:ssg-sebool_cups_execmem:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_cups_execmem_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_selinuxuser_direct_dri_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Configure the selinuxuser_direct_dri_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">selinuxuser_direct_dri_enabled</html:code> is enabled. | |
| If XWindows is not installed or used on the system, this setting should be disabled. | |
| Otherwise, enable it. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">selinuxuser_direct_dri_enabled</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P selinuxuser_direct_dri_enabled off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_selinuxuser_direct_dri_enabled" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_selinuxuser_direct_dri_enabled="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled" use="legacy"/>" | |
| setsebool -P selinuxuser_direct_dri_enabled $var_selinuxuser_direct_dri_enabled | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_selinuxuser_direct_dri_enabled" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_selinuxuser_direct_dri_enabled # promote to variable | |
| set_fact: | |
| var_selinuxuser_direct_dri_enabled: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean selinuxuser_direct_dri_enabled accordingly | |
| seboolean: | |
| name: selinuxuser_direct_dri_enabled | |
| state: "{{ var_selinuxuser_direct_dri_enabled }}" | |
| persistent: yes | |
| tags: | |
| - sebool_selinuxuser_direct_dri_enabled | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_selinuxuser_direct_dri_enabled:var:1" value-id="xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled"/> | |
| <check-content-ref name="oval:ssg-sebool_selinuxuser_direct_dri_enabled:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_selinuxuser_direct_dri_enabled_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_sge_domain_can_network_connect" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the sge_domain_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">sge_domain_can_network_connect</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sge_domain_can_network_connect</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P sge_domain_can_network_connect off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sge_domain_can_network_connect" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_sge_domain_can_network_connect="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect" use="legacy"/>" | |
| setsebool -P sge_domain_can_network_connect $var_sge_domain_can_network_connect | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sge_domain_can_network_connect" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_sge_domain_can_network_connect # promote to variable | |
| set_fact: | |
| var_sge_domain_can_network_connect: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean sge_domain_can_network_connect accordingly | |
| seboolean: | |
| name: sge_domain_can_network_connect | |
| state: "{{ var_sge_domain_can_network_connect }}" | |
| persistent: yes | |
| tags: | |
| - sebool_sge_domain_can_network_connect | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_sge_domain_can_network_connect:var:1" value-id="xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect"/> | |
| <check-content-ref name="oval:ssg-sebool_sge_domain_can_network_connect:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_sge_domain_can_network_connect_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_openshift_use_nfs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the openshift_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">openshift_use_nfs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">openshift_use_nfs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P openshift_use_nfs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_openshift_use_nfs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_openshift_use_nfs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_openshift_use_nfs" use="legacy"/>" | |
| setsebool -P openshift_use_nfs $var_openshift_use_nfs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_openshift_use_nfs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_openshift_use_nfs # promote to variable | |
| set_fact: | |
| var_openshift_use_nfs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_openshift_use_nfs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean openshift_use_nfs accordingly | |
| seboolean: | |
| name: openshift_use_nfs | |
| state: "{{ var_openshift_use_nfs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_openshift_use_nfs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_openshift_use_nfs:var:1" value-id="xccdf_org.ssgproject.content_value_var_openshift_use_nfs"/> | |
| <check-content-ref name="oval:ssg-sebool_openshift_use_nfs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_openshift_use_nfs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_ftpd_connect_db" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the ftpd_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_connect_db</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_connect_db</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P ftpd_connect_db off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_connect_db" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_ftpd_connect_db="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_connect_db" use="legacy"/>" | |
| setsebool -P ftpd_connect_db $var_ftpd_connect_db | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_connect_db" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_ftpd_connect_db # promote to variable | |
| set_fact: | |
| var_ftpd_connect_db: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_connect_db" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean ftpd_connect_db accordingly | |
| seboolean: | |
| name: ftpd_connect_db | |
| state: "{{ var_ftpd_connect_db }}" | |
| persistent: yes | |
| tags: | |
| - sebool_ftpd_connect_db | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_ftpd_connect_db:var:1" value-id="xccdf_org.ssgproject.content_value_var_ftpd_connect_db"/> | |
| <check-content-ref name="oval:ssg-sebool_ftpd_connect_db:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_ftpd_connect_db_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_nagios_run_sudo" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the nagios_run_sudo SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">nagios_run_sudo</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nagios_run_sudo</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P nagios_run_sudo off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nagios_run_sudo" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_nagios_run_sudo="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nagios_run_sudo" use="legacy"/>" | |
| setsebool -P nagios_run_sudo $var_nagios_run_sudo | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nagios_run_sudo" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_nagios_run_sudo # promote to variable | |
| set_fact: | |
| var_nagios_run_sudo: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nagios_run_sudo" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean nagios_run_sudo accordingly | |
| seboolean: | |
| name: nagios_run_sudo | |
| state: "{{ var_nagios_run_sudo }}" | |
| persistent: yes | |
| tags: | |
| - sebool_nagios_run_sudo | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_nagios_run_sudo:var:1" value-id="xccdf_org.ssgproject.content_value_var_nagios_run_sudo"/> | |
| <check-content-ref name="oval:ssg-sebool_nagios_run_sudo:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_nagios_run_sudo_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_guest_exec_content" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the guest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">guest_exec_content</html:code> is enabled. | |
| This setting should be disabled as no guest accounts should be used. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">guest_exec_content</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P guest_exec_content off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_guest_exec_content" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_guest_exec_content="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_guest_exec_content" use="legacy"/>" | |
| setsebool -P guest_exec_content $var_guest_exec_content | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_guest_exec_content" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_guest_exec_content # promote to variable | |
| set_fact: | |
| var_guest_exec_content: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_guest_exec_content" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean guest_exec_content accordingly | |
| seboolean: | |
| name: guest_exec_content | |
| state: "{{ var_guest_exec_content }}" | |
| persistent: yes | |
| tags: | |
| - sebool_guest_exec_content | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_guest_exec_content:var:1" value-id="xccdf_org.ssgproject.content_value_var_guest_exec_content"/> | |
| <check-content-ref name="oval:ssg-sebool_guest_exec_content:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_guest_exec_content_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_ftpd_anon_write" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the ftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_anon_write</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_anon_write</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P ftpd_anon_write off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_anon_write" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_ftpd_anon_write="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_anon_write" use="legacy"/>" | |
| setsebool -P ftpd_anon_write $var_ftpd_anon_write | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_anon_write" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_ftpd_anon_write # promote to variable | |
| set_fact: | |
| var_ftpd_anon_write: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_anon_write" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean ftpd_anon_write accordingly | |
| seboolean: | |
| name: ftpd_anon_write | |
| state: "{{ var_ftpd_anon_write }}" | |
| persistent: yes | |
| tags: | |
| - sebool_ftpd_anon_write | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_ftpd_anon_write:var:1" value-id="xccdf_org.ssgproject.content_value_var_ftpd_anon_write"/> | |
| <check-content-ref name="oval:ssg-sebool_ftpd_anon_write:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_ftpd_anon_write_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_conman_can_network" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the conman_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">conman_can_network</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">conman_can_network</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P conman_can_network off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_conman_can_network" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_conman_can_network="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_conman_can_network" use="legacy"/>" | |
| setsebool -P conman_can_network $var_conman_can_network | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_conman_can_network" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_conman_can_network # promote to variable | |
| set_fact: | |
| var_conman_can_network: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_conman_can_network" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean conman_can_network accordingly | |
| seboolean: | |
| name: conman_can_network | |
| state: "{{ var_conman_can_network }}" | |
| persistent: yes | |
| tags: | |
| - sebool_conman_can_network | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_conman_can_network:var:1" value-id="xccdf_org.ssgproject.content_value_var_conman_can_network"/> | |
| <check-content-ref name="oval:ssg-sebool_conman_can_network:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_conman_can_network_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_can_check_spam" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_can_check_spam SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_check_spam</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_check_spam</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_can_check_spam off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_check_spam" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_can_check_spam="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_check_spam" use="legacy"/>" | |
| setsebool -P httpd_can_check_spam $var_httpd_can_check_spam | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_check_spam" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_can_check_spam # promote to variable | |
| set_fact: | |
| var_httpd_can_check_spam: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_check_spam" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_can_check_spam accordingly | |
| seboolean: | |
| name: httpd_can_check_spam | |
| state: "{{ var_httpd_can_check_spam }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_can_check_spam | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_can_check_spam:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_can_check_spam"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_can_check_spam:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_can_check_spam_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_antivirus_can_scan_system" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the antivirus_can_scan_system SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">antivirus_can_scan_system</html:code> is disabled. | |
| This setting should be enabled as it allows antivirus programs to read non-security | |
| files on a system. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">antivirus_can_scan_system</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P antivirus_can_scan_system on</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80422-9</ident> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_antivirus_can_scan_system" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_antivirus_can_scan_system="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/>" | |
| setsebool -P antivirus_can_scan_system $var_antivirus_can_scan_system | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_antivirus_can_scan_system" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_antivirus_can_scan_system # promote to variable | |
| set_fact: | |
| var_antivirus_can_scan_system: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean antivirus_can_scan_system accordingly | |
| seboolean: | |
| name: antivirus_can_scan_system | |
| state: "{{ var_antivirus_can_scan_system }}" | |
| persistent: yes | |
| tags: | |
| - sebool_antivirus_can_scan_system | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - CCE-80422-9 | |
| - NIST-800-171-3.7.2 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_antivirus_can_scan_system:var:1" value-id="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system"/> | |
| <check-content-ref name="oval:ssg-sebool_antivirus_can_scan_system:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_antivirus_can_scan_system_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_git_cgi_use_nfs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the git_cgi_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_cgi_use_nfs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_cgi_use_nfs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P git_cgi_use_nfs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_cgi_use_nfs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_git_cgi_use_nfs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs" use="legacy"/>" | |
| setsebool -P git_cgi_use_nfs $var_git_cgi_use_nfs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_cgi_use_nfs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_git_cgi_use_nfs # promote to variable | |
| set_fact: | |
| var_git_cgi_use_nfs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean git_cgi_use_nfs accordingly | |
| seboolean: | |
| name: git_cgi_use_nfs | |
| state: "{{ var_git_cgi_use_nfs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_git_cgi_use_nfs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_git_cgi_use_nfs:var:1" value-id="xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs"/> | |
| <check-content-ref name="oval:ssg-sebool_git_cgi_use_nfs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_git_cgi_use_nfs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_sftpd_enable_homedirs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the sftpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_enable_homedirs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_enable_homedirs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P sftpd_enable_homedirs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_enable_homedirs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_sftpd_enable_homedirs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_enable_homedirs" use="legacy"/>" | |
| setsebool -P sftpd_enable_homedirs $var_sftpd_enable_homedirs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_enable_homedirs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_sftpd_enable_homedirs # promote to variable | |
| set_fact: | |
| var_sftpd_enable_homedirs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_enable_homedirs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean sftpd_enable_homedirs accordingly | |
| seboolean: | |
| name: sftpd_enable_homedirs | |
| state: "{{ var_sftpd_enable_homedirs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_sftpd_enable_homedirs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_sftpd_enable_homedirs:var:1" value-id="xccdf_org.ssgproject.content_value_var_sftpd_enable_homedirs"/> | |
| <check-content-ref name="oval:ssg-sebool_sftpd_enable_homedirs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_sftpd_enable_homedirs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_entropyd_use_audio" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the entropyd_use_audio SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">entropyd_use_audio</html:code> is enabled. | |
| This setting should be disabled as it uses audit input to generate entropy. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">entropyd_use_audio</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P entropyd_use_audio off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_entropyd_use_audio" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_entropyd_use_audio="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_entropyd_use_audio" use="legacy"/>" | |
| setsebool -P entropyd_use_audio $var_entropyd_use_audio | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_entropyd_use_audio" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_entropyd_use_audio # promote to variable | |
| set_fact: | |
| var_entropyd_use_audio: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_entropyd_use_audio" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean entropyd_use_audio accordingly | |
| seboolean: | |
| name: entropyd_use_audio | |
| state: "{{ var_entropyd_use_audio }}" | |
| persistent: yes | |
| tags: | |
| - sebool_entropyd_use_audio | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_entropyd_use_audio:var:1" value-id="xccdf_org.ssgproject.content_value_var_entropyd_use_audio"/> | |
| <check-content-ref name="oval:ssg-sebool_entropyd_use_audio:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_entropyd_use_audio_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mount_anyfile" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the mount_anyfile SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mount_anyfile</html:code> is enabled. | |
| If this setting is disabled, it should be enabled to allow any file | |
| or directory to be mounted. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mount_anyfile</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mount_anyfile on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mount_anyfile" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mount_anyfile="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_anyfile" use="legacy"/>" | |
| setsebool -P mount_anyfile $var_mount_anyfile | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mount_anyfile" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mount_anyfile # promote to variable | |
| set_fact: | |
| var_mount_anyfile: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mount_anyfile" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mount_anyfile accordingly | |
| seboolean: | |
| name: mount_anyfile | |
| state: "{{ var_mount_anyfile }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mount_anyfile | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mount_anyfile:var:1" value-id="xccdf_org.ssgproject.content_value_var_mount_anyfile"/> | |
| <check-content-ref name="oval:ssg-sebool_mount_anyfile:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mount_anyfile_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_fenced_can_network_connect" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the fenced_can_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">fenced_can_network_connect</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">fenced_can_network_connect</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P fenced_can_network_connect off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fenced_can_network_connect" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_fenced_can_network_connect="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect" use="legacy"/>" | |
| setsebool -P fenced_can_network_connect $var_fenced_can_network_connect | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fenced_can_network_connect" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_fenced_can_network_connect # promote to variable | |
| set_fact: | |
| var_fenced_can_network_connect: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean fenced_can_network_connect accordingly | |
| seboolean: | |
| name: fenced_can_network_connect | |
| state: "{{ var_fenced_can_network_connect }}" | |
| persistent: yes | |
| tags: | |
| - sebool_fenced_can_network_connect | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_fenced_can_network_connect:var:1" value-id="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect"/> | |
| <check-content-ref name="oval:ssg-sebool_fenced_can_network_connect:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_fenced_can_network_connect_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_swift_can_network" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the swift_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">swift_can_network</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">swift_can_network</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P swift_can_network off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_swift_can_network" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_swift_can_network="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_swift_can_network" use="legacy"/>" | |
| setsebool -P swift_can_network $var_swift_can_network | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_swift_can_network" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_swift_can_network # promote to variable | |
| set_fact: | |
| var_swift_can_network: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_swift_can_network" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean swift_can_network accordingly | |
| seboolean: | |
| name: swift_can_network | |
| state: "{{ var_swift_can_network }}" | |
| persistent: yes | |
| tags: | |
| - sebool_swift_can_network | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_swift_can_network:var:1" value-id="xccdf_org.ssgproject.content_value_var_swift_can_network"/> | |
| <check-content-ref name="oval:ssg-sebool_swift_can_network:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_swift_can_network_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_enable_homedirs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_enable_homedirs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_enable_homedirs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_enable_homedirs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_enable_homedirs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_enable_homedirs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs" use="legacy"/>" | |
| setsebool -P httpd_enable_homedirs $var_httpd_enable_homedirs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_enable_homedirs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_enable_homedirs # promote to variable | |
| set_fact: | |
| var_httpd_enable_homedirs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_enable_homedirs accordingly | |
| seboolean: | |
| name: httpd_enable_homedirs | |
| state: "{{ var_httpd_enable_homedirs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_enable_homedirs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_enable_homedirs:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_enable_homedirs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_enable_homedirs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_ftpd_connect_all_unreserved" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the ftpd_connect_all_unreserved SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_connect_all_unreserved</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_connect_all_unreserved</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P ftpd_connect_all_unreserved off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_connect_all_unreserved" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_ftpd_connect_all_unreserved="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved" use="legacy"/>" | |
| setsebool -P ftpd_connect_all_unreserved $var_ftpd_connect_all_unreserved | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_connect_all_unreserved" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_ftpd_connect_all_unreserved # promote to variable | |
| set_fact: | |
| var_ftpd_connect_all_unreserved: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean ftpd_connect_all_unreserved accordingly | |
| seboolean: | |
| name: ftpd_connect_all_unreserved | |
| state: "{{ var_ftpd_connect_all_unreserved }}" | |
| persistent: yes | |
| tags: | |
| - sebool_ftpd_connect_all_unreserved | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_ftpd_connect_all_unreserved:var:1" value-id="xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved"/> | |
| <check-content-ref name="oval:ssg-sebool_ftpd_connect_all_unreserved:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_ftpd_connect_all_unreserved_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_ksmtuned_use_cifs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the ksmtuned_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">ksmtuned_use_cifs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ksmtuned_use_cifs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P ksmtuned_use_cifs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ksmtuned_use_cifs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_ksmtuned_use_cifs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs" use="legacy"/>" | |
| setsebool -P ksmtuned_use_cifs $var_ksmtuned_use_cifs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ksmtuned_use_cifs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_ksmtuned_use_cifs # promote to variable | |
| set_fact: | |
| var_ksmtuned_use_cifs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean ksmtuned_use_cifs accordingly | |
| seboolean: | |
| name: ksmtuned_use_cifs | |
| state: "{{ var_ksmtuned_use_cifs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_ksmtuned_use_cifs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_ksmtuned_use_cifs:var:1" value-id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs"/> | |
| <check-content-ref name="oval:ssg-sebool_ksmtuned_use_cifs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_ksmtuned_use_cifs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_fips_mode" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the fips_mode SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">fips_mode</html:code> is enabled. | |
| This allows all SELinux domains to execute in <html:code xmlns:html="http://www.w3.org/1999/xhtml">fips_mode</html:code>. | |
| If this setting is disabled, it should be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">fips_mode</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P fips_mode on</html:pre></description> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</reference> | |
| <reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</reference> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <ident system="https://nvd.nist.gov/cce/index.cfm">CCE-80418-7</ident> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fips_mode" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_fips_mode="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fips_mode" use="legacy"/>" | |
| setsebool -P fips_mode $var_fips_mode | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_fips_mode" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_fips_mode # promote to variable | |
| set_fact: | |
| var_fips_mode: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_fips_mode" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean fips_mode accordingly | |
| seboolean: | |
| name: fips_mode | |
| state: "{{ var_fips_mode }}" | |
| persistent: yes | |
| tags: | |
| - sebool_fips_mode | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| - CCE-80418-7 | |
| - NIST-800-53-SC-13 | |
| - NIST-800-171-3.13.11 | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_fips_mode:var:1" value-id="xccdf_org.ssgproject.content_value_var_fips_mode"/> | |
| <check-content-ref name="oval:ssg-sebool_fips_mode:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_fips_mode_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_sys_admin" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the virt_sandbox_use_sys_admin SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_sandbox_use_sys_admin</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_sandbox_use_sys_admin</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P virt_sandbox_use_sys_admin off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_sandbox_use_sys_admin" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_virt_sandbox_use_sys_admin="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin" use="legacy"/>" | |
| setsebool -P virt_sandbox_use_sys_admin $var_virt_sandbox_use_sys_admin | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_sandbox_use_sys_admin" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_virt_sandbox_use_sys_admin # promote to variable | |
| set_fact: | |
| var_virt_sandbox_use_sys_admin: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean virt_sandbox_use_sys_admin accordingly | |
| seboolean: | |
| name: virt_sandbox_use_sys_admin | |
| state: "{{ var_virt_sandbox_use_sys_admin }}" | |
| persistent: yes | |
| tags: | |
| - sebool_virt_sandbox_use_sys_admin | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_virt_sandbox_use_sys_admin:var:1" value-id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin"/> | |
| <check-content-ref name="oval:ssg-sebool_virt_sandbox_use_sys_admin:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_virt_sandbox_use_sys_admin_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_postfix_local_write_mail_spool" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the postfix_local_write_mail_spool SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">postfix_local_write_mail_spool</html:code> is enabled. | |
| If this setting is disabled, it should be enabled as it allows Postfix to write | |
| to the mail spool directories. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">postfix_local_write_mail_spool</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P postfix_local_write_mail_spool on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_postfix_local_write_mail_spool" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_postfix_local_write_mail_spool="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool" use="legacy"/>" | |
| setsebool -P postfix_local_write_mail_spool $var_postfix_local_write_mail_spool | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_postfix_local_write_mail_spool" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_postfix_local_write_mail_spool # promote to variable | |
| set_fact: | |
| var_postfix_local_write_mail_spool: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean postfix_local_write_mail_spool accordingly | |
| seboolean: | |
| name: postfix_local_write_mail_spool | |
| state: "{{ var_postfix_local_write_mail_spool }}" | |
| persistent: yes | |
| tags: | |
| - sebool_postfix_local_write_mail_spool | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_postfix_local_write_mail_spool:var:1" value-id="xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool"/> | |
| <check-content-ref name="oval:ssg-sebool_postfix_local_write_mail_spool:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_postfix_local_write_mail_spool_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_haproxy_connect_any" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the haproxy_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">haproxy_connect_any</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">haproxy_connect_any</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P haproxy_connect_any off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_haproxy_connect_any" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_haproxy_connect_any="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_haproxy_connect_any" use="legacy"/>" | |
| setsebool -P haproxy_connect_any $var_haproxy_connect_any | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_haproxy_connect_any" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_haproxy_connect_any # promote to variable | |
| set_fact: | |
| var_haproxy_connect_any: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_haproxy_connect_any" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean haproxy_connect_any accordingly | |
| seboolean: | |
| name: haproxy_connect_any | |
| state: "{{ var_haproxy_connect_any }}" | |
| persistent: yes | |
| tags: | |
| - sebool_haproxy_connect_any | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_haproxy_connect_any:var:1" value-id="xccdf_org.ssgproject.content_value_var_haproxy_connect_any"/> | |
| <check-content-ref name="oval:ssg-sebool_haproxy_connect_any:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_haproxy_connect_any_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_xdm_sysadm_login" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the xdm_sysadm_login SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">xdm_sysadm_login</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">xdm_sysadm_login</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P xdm_sysadm_login off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xdm_sysadm_login" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_xdm_sysadm_login="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xdm_sysadm_login" use="legacy"/>" | |
| setsebool -P xdm_sysadm_login $var_xdm_sysadm_login | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xdm_sysadm_login" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_xdm_sysadm_login # promote to variable | |
| set_fact: | |
| var_xdm_sysadm_login: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xdm_sysadm_login" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean xdm_sysadm_login accordingly | |
| seboolean: | |
| name: xdm_sysadm_login | |
| state: "{{ var_xdm_sysadm_login }}" | |
| persistent: yes | |
| tags: | |
| - sebool_xdm_sysadm_login | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_xdm_sysadm_login:var:1" value-id="xccdf_org.ssgproject.content_value_var_xdm_sysadm_login"/> | |
| <check-content-ref name="oval:ssg-sebool_xdm_sysadm_login:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_xdm_sysadm_login_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_git_session_bind_all_unreserved_ports" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the git_session_bind_all_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_session_bind_all_unreserved_ports</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_session_bind_all_unreserved_ports</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P git_session_bind_all_unreserved_ports off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_session_bind_all_unreserved_ports" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_git_session_bind_all_unreserved_ports="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports" use="legacy"/>" | |
| setsebool -P git_session_bind_all_unreserved_ports $var_git_session_bind_all_unreserved_ports | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_session_bind_all_unreserved_ports" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_git_session_bind_all_unreserved_ports # promote to variable | |
| set_fact: | |
| var_git_session_bind_all_unreserved_ports: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean git_session_bind_all_unreserved_ports accordingly | |
| seboolean: | |
| name: git_session_bind_all_unreserved_ports | |
| state: "{{ var_git_session_bind_all_unreserved_ports }}" | |
| persistent: yes | |
| tags: | |
| - sebool_git_session_bind_all_unreserved_ports | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_git_session_bind_all_unreserved_ports:var:1" value-id="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports"/> | |
| <check-content-ref name="oval:ssg-sebool_git_session_bind_all_unreserved_ports:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_git_session_bind_all_unreserved_ports_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mplayer_execstack" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mplayer_execstack SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mplayer_execstack</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mplayer_execstack</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mplayer_execstack off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mplayer_execstack" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mplayer_execstack="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mplayer_execstack" use="legacy"/>" | |
| setsebool -P mplayer_execstack $var_mplayer_execstack | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mplayer_execstack" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mplayer_execstack # promote to variable | |
| set_fact: | |
| var_mplayer_execstack: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mplayer_execstack" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mplayer_execstack accordingly | |
| seboolean: | |
| name: mplayer_execstack | |
| state: "{{ var_mplayer_execstack }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mplayer_execstack | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mplayer_execstack:var:1" value-id="xccdf_org.ssgproject.content_value_var_mplayer_execstack"/> | |
| <check-content-ref name="oval:ssg-sebool_mplayer_execstack:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mplayer_execstack_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_spamd_enable_home_dirs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the spamd_enable_home_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">spamd_enable_home_dirs</html:code> is enabled. | |
| If this setting is disabled, it should be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">spamd_enable_home_dirs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P spamd_enable_home_dirs on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_spamd_enable_home_dirs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_spamd_enable_home_dirs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs" use="legacy"/>" | |
| setsebool -P spamd_enable_home_dirs $var_spamd_enable_home_dirs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_spamd_enable_home_dirs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_spamd_enable_home_dirs # promote to variable | |
| set_fact: | |
| var_spamd_enable_home_dirs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean spamd_enable_home_dirs accordingly | |
| seboolean: | |
| name: spamd_enable_home_dirs | |
| state: "{{ var_spamd_enable_home_dirs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_spamd_enable_home_dirs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_spamd_enable_home_dirs:var:1" value-id="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs"/> | |
| <check-content-ref name="oval:ssg-sebool_spamd_enable_home_dirs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_spamd_enable_home_dirs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_sftpd_anon_write" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the sftpd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_anon_write</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_anon_write</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P sftpd_anon_write off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_anon_write" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_sftpd_anon_write="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_anon_write" use="legacy"/>" | |
| setsebool -P sftpd_anon_write $var_sftpd_anon_write | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_anon_write" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_sftpd_anon_write # promote to variable | |
| set_fact: | |
| var_sftpd_anon_write: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_anon_write" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean sftpd_anon_write accordingly | |
| seboolean: | |
| name: sftpd_anon_write | |
| state: "{{ var_sftpd_anon_write }}" | |
| persistent: yes | |
| tags: | |
| - sebool_sftpd_anon_write | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_sftpd_anon_write:var:1" value-id="xccdf_org.ssgproject.content_value_var_sftpd_anon_write"/> | |
| <check-content-ref name="oval:ssg-sebool_sftpd_anon_write:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_sftpd_anon_write_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_virt_sandbox_use_all_caps" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the virt_sandbox_use_all_caps SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_sandbox_use_all_caps</html:code> is enabled. | |
| This setting is disabled as containers should not run with privileges. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_sandbox_use_all_caps</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P virt_sandbox_use_all_caps off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_sandbox_use_all_caps" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_virt_sandbox_use_all_caps="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps" use="legacy"/>" | |
| setsebool -P virt_sandbox_use_all_caps $var_virt_sandbox_use_all_caps | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_sandbox_use_all_caps" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_virt_sandbox_use_all_caps # promote to variable | |
| set_fact: | |
| var_virt_sandbox_use_all_caps: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean virt_sandbox_use_all_caps accordingly | |
| seboolean: | |
| name: virt_sandbox_use_all_caps | |
| state: "{{ var_virt_sandbox_use_all_caps }}" | |
| persistent: yes | |
| tags: | |
| - sebool_virt_sandbox_use_all_caps | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_virt_sandbox_use_all_caps:var:1" value-id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps"/> | |
| <check-content-ref name="oval:ssg-sebool_virt_sandbox_use_all_caps:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_virt_sandbox_use_all_caps_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_pppd_can_insmod" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the pppd_can_insmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">pppd_can_insmod</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">pppd_can_insmod</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P pppd_can_insmod off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_pppd_can_insmod" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_pppd_can_insmod="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pppd_can_insmod" use="legacy"/>" | |
| setsebool -P pppd_can_insmod $var_pppd_can_insmod | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_pppd_can_insmod" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_pppd_can_insmod # promote to variable | |
| set_fact: | |
| var_pppd_can_insmod: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_pppd_can_insmod" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean pppd_can_insmod accordingly | |
| seboolean: | |
| name: pppd_can_insmod | |
| state: "{{ var_pppd_can_insmod }}" | |
| persistent: yes | |
| tags: | |
| - sebool_pppd_can_insmod | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_pppd_can_insmod:var:1" value-id="xccdf_org.ssgproject.content_value_var_pppd_can_insmod"/> | |
| <check-content-ref name="oval:ssg-sebool_pppd_can_insmod:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_pppd_can_insmod_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_exim_can_connect_db" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the exim_can_connect_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_can_connect_db</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_can_connect_db</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P exim_can_connect_db off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_can_connect_db" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_exim_can_connect_db="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_can_connect_db" use="legacy"/>" | |
| setsebool -P exim_can_connect_db $var_exim_can_connect_db | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_can_connect_db" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_exim_can_connect_db # promote to variable | |
| set_fact: | |
| var_exim_can_connect_db: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_can_connect_db" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean exim_can_connect_db accordingly | |
| seboolean: | |
| name: exim_can_connect_db | |
| state: "{{ var_exim_can_connect_db }}" | |
| persistent: yes | |
| tags: | |
| - sebool_exim_can_connect_db | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_exim_can_connect_db:var:1" value-id="xccdf_org.ssgproject.content_value_var_exim_can_connect_db"/> | |
| <check-content-ref name="oval:ssg-sebool_exim_can_connect_db:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_exim_can_connect_db_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_tmp_exec" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_tmp_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_tmp_exec</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_tmp_exec</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_tmp_exec off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_tmp_exec" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_tmp_exec="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec" use="legacy"/>" | |
| setsebool -P httpd_tmp_exec $var_httpd_tmp_exec | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_tmp_exec" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_tmp_exec # promote to variable | |
| set_fact: | |
| var_httpd_tmp_exec: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_tmp_exec accordingly | |
| seboolean: | |
| name: httpd_tmp_exec | |
| state: "{{ var_httpd_tmp_exec }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_tmp_exec | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_tmp_exec:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_tmp_exec:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_tmp_exec_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_use_nfs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_use_nfs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_use_nfs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_use_nfs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_use_nfs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_use_nfs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_use_nfs" use="legacy"/>" | |
| setsebool -P httpd_use_nfs $var_httpd_use_nfs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_use_nfs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_use_nfs # promote to variable | |
| set_fact: | |
| var_httpd_use_nfs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_use_nfs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_use_nfs accordingly | |
| seboolean: | |
| name: httpd_use_nfs | |
| state: "{{ var_httpd_use_nfs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_use_nfs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_use_nfs:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_use_nfs"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_use_nfs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_use_nfs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_secure_mode_insmod" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the secure_mode_insmod SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">secure_mode_insmod</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">secure_mode_insmod</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P secure_mode_insmod off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_secure_mode_insmod" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_secure_mode_insmod="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/>" | |
| setsebool -P secure_mode_insmod $var_secure_mode_insmod | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_secure_mode_insmod" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_secure_mode_insmod # promote to variable | |
| set_fact: | |
| var_secure_mode_insmod: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean secure_mode_insmod accordingly | |
| seboolean: | |
| name: secure_mode_insmod | |
| state: "{{ var_secure_mode_insmod }}" | |
| persistent: yes | |
| tags: | |
| - sebool_secure_mode_insmod | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_secure_mode_insmod:var:1" value-id="xccdf_org.ssgproject.content_value_var_secure_mode_insmod"/> | |
| <check-content-ref name="oval:ssg-sebool_secure_mode_insmod:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_secure_mode_insmod_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_condor_tcp_network_connect" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the condor_tcp_network_connect SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">condor_tcp_network_connect</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">condor_tcp_network_connect</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P condor_tcp_network_connect off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_condor_tcp_network_connect" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_condor_tcp_network_connect="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect" use="legacy"/>" | |
| setsebool -P condor_tcp_network_connect $var_condor_tcp_network_connect | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_condor_tcp_network_connect" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_condor_tcp_network_connect # promote to variable | |
| set_fact: | |
| var_condor_tcp_network_connect: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean condor_tcp_network_connect accordingly | |
| seboolean: | |
| name: condor_tcp_network_connect | |
| state: "{{ var_condor_tcp_network_connect }}" | |
| persistent: yes | |
| tags: | |
| - sebool_condor_tcp_network_connect | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_condor_tcp_network_connect:var:1" value-id="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect"/> | |
| <check-content-ref name="oval:ssg-sebool_condor_tcp_network_connect:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_condor_tcp_network_connect_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_ssi_exec" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_ssi_exec SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_ssi_exec</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_ssi_exec</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_ssi_exec off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_ssi_exec" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_ssi_exec="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec" use="legacy"/>" | |
| setsebool -P httpd_ssi_exec $var_httpd_ssi_exec | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_ssi_exec" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_ssi_exec # promote to variable | |
| set_fact: | |
| var_httpd_ssi_exec: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_ssi_exec accordingly | |
| seboolean: | |
| name: httpd_ssi_exec | |
| state: "{{ var_httpd_ssi_exec }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_ssi_exec | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_ssi_exec:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_ssi_exec:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_ssi_exec_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_zarafa_setrlimit" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the zarafa_setrlimit SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">zarafa_setrlimit</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">zarafa_setrlimit</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P zarafa_setrlimit off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zarafa_setrlimit" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_zarafa_setrlimit="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit" use="legacy"/>" | |
| setsebool -P zarafa_setrlimit $var_zarafa_setrlimit | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zarafa_setrlimit" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_zarafa_setrlimit # promote to variable | |
| set_fact: | |
| var_zarafa_setrlimit: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean zarafa_setrlimit accordingly | |
| seboolean: | |
| name: zarafa_setrlimit | |
| state: "{{ var_zarafa_setrlimit }}" | |
| persistent: yes | |
| tags: | |
| - sebool_zarafa_setrlimit | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_zarafa_setrlimit:var:1" value-id="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit"/> | |
| <check-content-ref name="oval:ssg-sebool_zarafa_setrlimit:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_zarafa_setrlimit_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_sanlock_use_fusefs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the sanlock_use_fusefs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">sanlock_use_fusefs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sanlock_use_fusefs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P sanlock_use_fusefs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sanlock_use_fusefs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_sanlock_use_fusefs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs" use="legacy"/>" | |
| setsebool -P sanlock_use_fusefs $var_sanlock_use_fusefs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sanlock_use_fusefs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_sanlock_use_fusefs # promote to variable | |
| set_fact: | |
| var_sanlock_use_fusefs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean sanlock_use_fusefs accordingly | |
| seboolean: | |
| name: sanlock_use_fusefs | |
| state: "{{ var_sanlock_use_fusefs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_sanlock_use_fusefs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_sanlock_use_fusefs:var:1" value-id="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs"/> | |
| <check-content-ref name="oval:ssg-sebool_sanlock_use_fusefs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_sanlock_use_fusefs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_use_tty" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the logging_syslogd_use_tty SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">logging_syslogd_use_tty</html:code> is enabled. | |
| If this setting is disabled, it should be enabled as it allows <html:code xmlns:html="http://www.w3.org/1999/xhtml">syslog</html:code> | |
| the ability to read/write to terminal. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">logging_syslogd_use_tty</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P logging_syslogd_use_tty on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_logging_syslogd_use_tty" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_logging_syslogd_use_tty="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty" use="legacy"/>" | |
| setsebool -P logging_syslogd_use_tty $var_logging_syslogd_use_tty | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_logging_syslogd_use_tty" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_logging_syslogd_use_tty # promote to variable | |
| set_fact: | |
| var_logging_syslogd_use_tty: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean logging_syslogd_use_tty accordingly | |
| seboolean: | |
| name: logging_syslogd_use_tty | |
| state: "{{ var_logging_syslogd_use_tty }}" | |
| persistent: yes | |
| tags: | |
| - sebool_logging_syslogd_use_tty | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_logging_syslogd_use_tty:var:1" value-id="xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty"/> | |
| <check-content-ref name="oval:ssg-sebool_logging_syslogd_use_tty:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_dhcpc_exec_iptables" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the dhcpc_exec_iptables SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhcpc_exec_iptables</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhcpc_exec_iptables</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P dhcpc_exec_iptables off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_dhcpc_exec_iptables" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_dhcpc_exec_iptables="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables" use="legacy"/>" | |
| setsebool -P dhcpc_exec_iptables $var_dhcpc_exec_iptables | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_dhcpc_exec_iptables" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_dhcpc_exec_iptables # promote to variable | |
| set_fact: | |
| var_dhcpc_exec_iptables: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean dhcpc_exec_iptables accordingly | |
| seboolean: | |
| name: dhcpc_exec_iptables | |
| state: "{{ var_dhcpc_exec_iptables }}" | |
| persistent: yes | |
| tags: | |
| - sebool_dhcpc_exec_iptables | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_dhcpc_exec_iptables:var:1" value-id="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables"/> | |
| <check-content-ref name="oval:ssg-sebool_dhcpc_exec_iptables:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_dhcpc_exec_iptables_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_graceful_shutdown" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Enable the httpd_graceful_shutdown SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_graceful_shutdown</html:code> is enabled. | |
| If this setting is disabled, it should be enabled. | |
| To enable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_graceful_shutdown</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_graceful_shutdown on</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_graceful_shutdown" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_graceful_shutdown="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown" use="legacy"/>" | |
| setsebool -P httpd_graceful_shutdown $var_httpd_graceful_shutdown | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_graceful_shutdown" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_graceful_shutdown # promote to variable | |
| set_fact: | |
| var_httpd_graceful_shutdown: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_graceful_shutdown accordingly | |
| seboolean: | |
| name: httpd_graceful_shutdown | |
| state: "{{ var_httpd_graceful_shutdown }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_graceful_shutdown | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_graceful_shutdown:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_graceful_shutdown:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_graceful_shutdown_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_squid_use_tproxy" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the squid_use_tproxy SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">squid_use_tproxy</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">squid_use_tproxy</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P squid_use_tproxy off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_squid_use_tproxy" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_squid_use_tproxy="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_squid_use_tproxy" use="legacy"/>" | |
| setsebool -P squid_use_tproxy $var_squid_use_tproxy | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_squid_use_tproxy" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_squid_use_tproxy # promote to variable | |
| set_fact: | |
| var_squid_use_tproxy: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_squid_use_tproxy" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean squid_use_tproxy accordingly | |
| seboolean: | |
| name: squid_use_tproxy | |
| state: "{{ var_squid_use_tproxy }}" | |
| persistent: yes | |
| tags: | |
| - sebool_squid_use_tproxy | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_squid_use_tproxy:var:1" value-id="xccdf_org.ssgproject.content_value_var_squid_use_tproxy"/> | |
| <check-content-ref name="oval:ssg-sebool_squid_use_tproxy:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_squid_use_tproxy_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_global_ssp" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the global_ssp SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">global_ssp</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">global_ssp</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P global_ssp off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_global_ssp" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_global_ssp="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_global_ssp" use="legacy"/>" | |
| setsebool -P global_ssp $var_global_ssp | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_global_ssp" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_global_ssp # promote to variable | |
| set_fact: | |
| var_global_ssp: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_global_ssp" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean global_ssp accordingly | |
| seboolean: | |
| name: global_ssp | |
| state: "{{ var_global_ssp }}" | |
| persistent: yes | |
| tags: | |
| - sebool_global_ssp | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_global_ssp:var:1" value-id="xccdf_org.ssgproject.content_value_var_global_ssp"/> | |
| <check-content-ref name="oval:ssg-sebool_global_ssp:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_global_ssp_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_puppetmaster_use_db" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the puppetmaster_use_db SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">puppetmaster_use_db</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">puppetmaster_use_db</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P puppetmaster_use_db off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_puppetmaster_use_db" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_puppetmaster_use_db="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db" use="legacy"/>" | |
| setsebool -P puppetmaster_use_db $var_puppetmaster_use_db | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_puppetmaster_use_db" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_puppetmaster_use_db # promote to variable | |
| set_fact: | |
| var_puppetmaster_use_db: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean puppetmaster_use_db accordingly | |
| seboolean: | |
| name: puppetmaster_use_db | |
| state: "{{ var_puppetmaster_use_db }}" | |
| persistent: yes | |
| tags: | |
| - sebool_puppetmaster_use_db | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_puppetmaster_use_db:var:1" value-id="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db"/> | |
| <check-content-ref name="oval:ssg-sebool_puppetmaster_use_db:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_puppetmaster_use_db_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_use_bluejeans" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mozilla_plugin_use_bluejeans SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mozilla_plugin_use_bluejeans</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mozilla_plugin_use_bluejeans</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mozilla_plugin_use_bluejeans off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mozilla_plugin_use_bluejeans" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mozilla_plugin_use_bluejeans="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans" use="legacy"/>" | |
| setsebool -P mozilla_plugin_use_bluejeans $var_mozilla_plugin_use_bluejeans | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mozilla_plugin_use_bluejeans" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mozilla_plugin_use_bluejeans # promote to variable | |
| set_fact: | |
| var_mozilla_plugin_use_bluejeans: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mozilla_plugin_use_bluejeans accordingly | |
| seboolean: | |
| name: mozilla_plugin_use_bluejeans | |
| state: "{{ var_mozilla_plugin_use_bluejeans }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mozilla_plugin_use_bluejeans | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mozilla_plugin_use_bluejeans:var:1" value-id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans"/> | |
| <check-content-ref name="oval:ssg-sebool_mozilla_plugin_use_bluejeans:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mozilla_plugin_use_bluejeans_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_exim_read_user_files" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the exim_read_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_read_user_files</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_read_user_files</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P exim_read_user_files off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_read_user_files" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_exim_read_user_files="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_read_user_files" use="legacy"/>" | |
| setsebool -P exim_read_user_files $var_exim_read_user_files | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_read_user_files" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_exim_read_user_files # promote to variable | |
| set_fact: | |
| var_exim_read_user_files: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_read_user_files" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean exim_read_user_files accordingly | |
| seboolean: | |
| name: exim_read_user_files | |
| state: "{{ var_exim_read_user_files }}" | |
| persistent: yes | |
| tags: | |
| - sebool_exim_read_user_files | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_exim_read_user_files:var:1" value-id="xccdf_org.ssgproject.content_value_var_exim_read_user_files"/> | |
| <check-content-ref name="oval:ssg-sebool_exim_read_user_files:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_exim_read_user_files_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_manage_ipa" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_manage_ipa SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_manage_ipa</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_manage_ipa</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_manage_ipa off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_manage_ipa" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_manage_ipa="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_manage_ipa" use="legacy"/>" | |
| setsebool -P httpd_manage_ipa $var_httpd_manage_ipa | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_manage_ipa" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_manage_ipa # promote to variable | |
| set_fact: | |
| var_httpd_manage_ipa: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_manage_ipa" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_manage_ipa accordingly | |
| seboolean: | |
| name: httpd_manage_ipa | |
| state: "{{ var_httpd_manage_ipa }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_manage_ipa | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_manage_ipa:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_manage_ipa"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_manage_ipa:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_manage_ipa_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_xguest_exec_content" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the xguest_exec_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">xguest_exec_content</html:code> is enabled. | |
| This setting should be disabled as guest users should not be able to run | |
| executables. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">xguest_exec_content</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P xguest_exec_content off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xguest_exec_content" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_xguest_exec_content="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xguest_exec_content" use="legacy"/>" | |
| setsebool -P xguest_exec_content $var_xguest_exec_content | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_xguest_exec_content" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_xguest_exec_content # promote to variable | |
| set_fact: | |
| var_xguest_exec_content: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_xguest_exec_content" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean xguest_exec_content accordingly | |
| seboolean: | |
| name: xguest_exec_content | |
| state: "{{ var_xguest_exec_content }}" | |
| persistent: yes | |
| tags: | |
| - sebool_xguest_exec_content | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_xguest_exec_content:var:1" value-id="xccdf_org.ssgproject.content_value_var_xguest_exec_content"/> | |
| <check-content-ref name="oval:ssg-sebool_xguest_exec_content:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_xguest_exec_content_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_mod_auth_ntlm_winbind" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_mod_auth_ntlm_winbind SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_mod_auth_ntlm_winbind</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_mod_auth_ntlm_winbind</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_mod_auth_ntlm_winbind off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_mod_auth_ntlm_winbind" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_mod_auth_ntlm_winbind="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind" use="legacy"/>" | |
| setsebool -P httpd_mod_auth_ntlm_winbind $var_httpd_mod_auth_ntlm_winbind | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_mod_auth_ntlm_winbind" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_mod_auth_ntlm_winbind # promote to variable | |
| set_fact: | |
| var_httpd_mod_auth_ntlm_winbind: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_mod_auth_ntlm_winbind accordingly | |
| seboolean: | |
| name: httpd_mod_auth_ntlm_winbind | |
| state: "{{ var_httpd_mod_auth_ntlm_winbind }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_mod_auth_ntlm_winbind | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_mod_auth_ntlm_winbind:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_mod_auth_ntlm_winbind:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_mod_auth_ntlm_winbind_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_dontaudit_search_dirs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_dontaudit_search_dirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_dontaudit_search_dirs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_dontaudit_search_dirs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_dontaudit_search_dirs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_dontaudit_search_dirs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_dontaudit_search_dirs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs" use="legacy"/>" | |
| setsebool -P httpd_dontaudit_search_dirs $var_httpd_dontaudit_search_dirs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_dontaudit_search_dirs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_dontaudit_search_dirs # promote to variable | |
| set_fact: | |
| var_httpd_dontaudit_search_dirs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_dontaudit_search_dirs accordingly | |
| seboolean: | |
| name: httpd_dontaudit_search_dirs | |
| state: "{{ var_httpd_dontaudit_search_dirs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_dontaudit_search_dirs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_dontaudit_search_dirs:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_dontaudit_search_dirs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_dontaudit_search_dirs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mysql_connect_any" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mysql_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mysql_connect_any</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mysql_connect_any</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mysql_connect_any off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mysql_connect_any" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mysql_connect_any="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mysql_connect_any" use="legacy"/>" | |
| setsebool -P mysql_connect_any $var_mysql_connect_any | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mysql_connect_any" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mysql_connect_any # promote to variable | |
| set_fact: | |
| var_mysql_connect_any: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mysql_connect_any" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mysql_connect_any accordingly | |
| seboolean: | |
| name: mysql_connect_any | |
| state: "{{ var_mysql_connect_any }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mysql_connect_any | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mysql_connect_any:var:1" value-id="xccdf_org.ssgproject.content_value_var_mysql_connect_any"/> | |
| <check-content-ref name="oval:ssg-sebool_mysql_connect_any:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mysql_connect_any_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_nis_enabled" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the nis_enabled SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">nis_enabled</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nis_enabled</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P nis_enabled off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nis_enabled" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_nis_enabled="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nis_enabled" use="legacy"/>" | |
| setsebool -P nis_enabled $var_nis_enabled | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nis_enabled" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_nis_enabled # promote to variable | |
| set_fact: | |
| var_nis_enabled: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nis_enabled" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean nis_enabled accordingly | |
| seboolean: | |
| name: nis_enabled | |
| state: "{{ var_nis_enabled }}" | |
| persistent: yes | |
| tags: | |
| - sebool_nis_enabled | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_nis_enabled:var:1" value-id="xccdf_org.ssgproject.content_value_var_nis_enabled"/> | |
| <check-content-ref name="oval:ssg-sebool_nis_enabled:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_nis_enabled_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_relay" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_can_network_relay SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_network_relay</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_network_relay</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_can_network_relay off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_network_relay" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_can_network_relay="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay" use="legacy"/>" | |
| setsebool -P httpd_can_network_relay $var_httpd_can_network_relay | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_network_relay" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_can_network_relay # promote to variable | |
| set_fact: | |
| var_httpd_can_network_relay: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_can_network_relay accordingly | |
| seboolean: | |
| name: httpd_can_network_relay | |
| state: "{{ var_httpd_can_network_relay }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_can_network_relay | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_can_network_relay:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_can_network_relay:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_can_network_relay_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_exim_manage_user_files" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the exim_manage_user_files SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_manage_user_files</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">exim_manage_user_files</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P exim_manage_user_files off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_manage_user_files" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_exim_manage_user_files="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_manage_user_files" use="legacy"/>" | |
| setsebool -P exim_manage_user_files $var_exim_manage_user_files | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_exim_manage_user_files" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_exim_manage_user_files # promote to variable | |
| set_fact: | |
| var_exim_manage_user_files: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_exim_manage_user_files" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean exim_manage_user_files accordingly | |
| seboolean: | |
| name: exim_manage_user_files | |
| state: "{{ var_exim_manage_user_files }}" | |
| persistent: yes | |
| tags: | |
| - sebool_exim_manage_user_files | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_exim_manage_user_files:var:1" value-id="xccdf_org.ssgproject.content_value_var_exim_manage_user_files"/> | |
| <check-content-ref name="oval:ssg-sebool_exim_manage_user_files:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_exim_manage_user_files_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_lsmd_plugin_connect_any" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the lsmd_plugin_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">lsmd_plugin_connect_any</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">lsmd_plugin_connect_any</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P lsmd_plugin_connect_any off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_lsmd_plugin_connect_any" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_lsmd_plugin_connect_any="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any" use="legacy"/>" | |
| setsebool -P lsmd_plugin_connect_any $var_lsmd_plugin_connect_any | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_lsmd_plugin_connect_any" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_lsmd_plugin_connect_any # promote to variable | |
| set_fact: | |
| var_lsmd_plugin_connect_any: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean lsmd_plugin_connect_any accordingly | |
| seboolean: | |
| name: lsmd_plugin_connect_any | |
| state: "{{ var_lsmd_plugin_connect_any }}" | |
| persistent: yes | |
| tags: | |
| - sebool_lsmd_plugin_connect_any | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_lsmd_plugin_connect_any:var:1" value-id="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any"/> | |
| <check-content-ref name="oval:ssg-sebool_lsmd_plugin_connect_any:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_lsmd_plugin_connect_any_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mpd_use_cifs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mpd_use_cifs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mpd_use_cifs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mpd_use_cifs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mpd_use_cifs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mpd_use_cifs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mpd_use_cifs" use="legacy"/>" | |
| setsebool -P mpd_use_cifs $var_mpd_use_cifs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mpd_use_cifs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mpd_use_cifs # promote to variable | |
| set_fact: | |
| var_mpd_use_cifs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mpd_use_cifs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mpd_use_cifs accordingly | |
| seboolean: | |
| name: mpd_use_cifs | |
| state: "{{ var_mpd_use_cifs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mpd_use_cifs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mpd_use_cifs:var:1" value-id="xccdf_org.ssgproject.content_value_var_mpd_use_cifs"/> | |
| <check-content-ref name="oval:ssg-sebool_mpd_use_cifs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mpd_use_cifs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mcelog_foreground" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mcelog_foreground SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mcelog_foreground</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mcelog_foreground</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mcelog_foreground off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mcelog_foreground" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mcelog_foreground="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mcelog_foreground" use="legacy"/>" | |
| setsebool -P mcelog_foreground $var_mcelog_foreground | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mcelog_foreground" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mcelog_foreground # promote to variable | |
| set_fact: | |
| var_mcelog_foreground: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mcelog_foreground" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mcelog_foreground accordingly | |
| seboolean: | |
| name: mcelog_foreground | |
| state: "{{ var_mcelog_foreground }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mcelog_foreground | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mcelog_foreground:var:1" value-id="xccdf_org.ssgproject.content_value_var_mcelog_foreground"/> | |
| <check-content-ref name="oval:ssg-sebool_mcelog_foreground:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mcelog_foreground_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_zebra_write_config" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the zebra_write_config SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">zebra_write_config</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">zebra_write_config</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P zebra_write_config off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zebra_write_config" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_zebra_write_config="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zebra_write_config" use="legacy"/>" | |
| setsebool -P zebra_write_config $var_zebra_write_config | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zebra_write_config" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_zebra_write_config # promote to variable | |
| set_fact: | |
| var_zebra_write_config: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zebra_write_config" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean zebra_write_config accordingly | |
| seboolean: | |
| name: zebra_write_config | |
| state: "{{ var_zebra_write_config }}" | |
| persistent: yes | |
| tags: | |
| - sebool_zebra_write_config | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_zebra_write_config:var:1" value-id="xccdf_org.ssgproject.content_value_var_zebra_write_config"/> | |
| <check-content-ref name="oval:ssg-sebool_zebra_write_config:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_zebra_write_config_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_zabbix_can_network" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the zabbix_can_network SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">zabbix_can_network</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">zabbix_can_network</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P zabbix_can_network off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zabbix_can_network" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_zabbix_can_network="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zabbix_can_network" use="legacy"/>" | |
| setsebool -P zabbix_can_network $var_zabbix_can_network | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_zabbix_can_network" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_zabbix_can_network # promote to variable | |
| set_fact: | |
| var_zabbix_can_network: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_zabbix_can_network" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean zabbix_can_network accordingly | |
| seboolean: | |
| name: zabbix_can_network | |
| state: "{{ var_zabbix_can_network }}" | |
| persistent: yes | |
| tags: | |
| - sebool_zabbix_can_network | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_zabbix_can_network:var:1" value-id="xccdf_org.ssgproject.content_value_var_zabbix_can_network"/> | |
| <check-content-ref name="oval:ssg-sebool_zabbix_can_network:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_zabbix_can_network_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_nfsd_anon_write" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the nfsd_anon_write SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfsd_anon_write</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nfsd_anon_write</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P nfsd_anon_write off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nfsd_anon_write" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_nfsd_anon_write="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nfsd_anon_write" use="legacy"/>" | |
| setsebool -P nfsd_anon_write $var_nfsd_anon_write | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nfsd_anon_write" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_nfsd_anon_write # promote to variable | |
| set_fact: | |
| var_nfsd_anon_write: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nfsd_anon_write" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean nfsd_anon_write accordingly | |
| seboolean: | |
| name: nfsd_anon_write | |
| state: "{{ var_nfsd_anon_write }}" | |
| persistent: yes | |
| tags: | |
| - sebool_nfsd_anon_write | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_nfsd_anon_write:var:1" value-id="xccdf_org.ssgproject.content_value_var_nfsd_anon_write"/> | |
| <check-content-ref name="oval:ssg-sebool_nfsd_anon_write:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_nfsd_anon_write_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_git_system_use_nfs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the git_system_use_nfs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_system_use_nfs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">git_system_use_nfs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P git_system_use_nfs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_system_use_nfs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_git_system_use_nfs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_system_use_nfs" use="legacy"/>" | |
| setsebool -P git_system_use_nfs $var_git_system_use_nfs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_git_system_use_nfs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_git_system_use_nfs # promote to variable | |
| set_fact: | |
| var_git_system_use_nfs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_git_system_use_nfs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean git_system_use_nfs accordingly | |
| seboolean: | |
| name: git_system_use_nfs | |
| state: "{{ var_git_system_use_nfs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_git_system_use_nfs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_git_system_use_nfs:var:1" value-id="xccdf_org.ssgproject.content_value_var_git_system_use_nfs"/> | |
| <check-content-ref name="oval:ssg-sebool_git_system_use_nfs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_git_system_use_nfs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_deny_execmem" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the deny_execmem SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">deny_execmem</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">deny_execmem</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P deny_execmem off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_deny_execmem" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_deny_execmem="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_deny_execmem" use="legacy"/>" | |
| setsebool -P deny_execmem $var_deny_execmem | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_deny_execmem" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_deny_execmem # promote to variable | |
| set_fact: | |
| var_deny_execmem: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_deny_execmem" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean deny_execmem accordingly | |
| seboolean: | |
| name: deny_execmem | |
| state: "{{ var_deny_execmem }}" | |
| persistent: yes | |
| tags: | |
| - sebool_deny_execmem | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_deny_execmem:var:1" value-id="xccdf_org.ssgproject.content_value_var_deny_execmem"/> | |
| <check-content-ref name="oval:ssg-sebool_deny_execmem:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_deny_execmem_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_can_network_memcache" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_can_network_memcache SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_network_memcache</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_can_network_memcache</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_can_network_memcache off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_network_memcache" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_can_network_memcache="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache" use="legacy"/>" | |
| setsebool -P httpd_can_network_memcache $var_httpd_can_network_memcache | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_can_network_memcache" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_can_network_memcache # promote to variable | |
| set_fact: | |
| var_httpd_can_network_memcache: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_can_network_memcache accordingly | |
| seboolean: | |
| name: httpd_can_network_memcache | |
| state: "{{ var_httpd_can_network_memcache }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_can_network_memcache | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_can_network_memcache:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_can_network_memcache:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_can_network_memcache_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_samba_export_all_ro" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the samba_export_all_ro SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba_export_all_ro</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">samba_export_all_ro</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P samba_export_all_ro off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_samba_export_all_ro" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_samba_export_all_ro="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_samba_export_all_ro" use="legacy"/>" | |
| setsebool -P samba_export_all_ro $var_samba_export_all_ro | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_samba_export_all_ro" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_samba_export_all_ro # promote to variable | |
| set_fact: | |
| var_samba_export_all_ro: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_samba_export_all_ro" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean samba_export_all_ro accordingly | |
| seboolean: | |
| name: samba_export_all_ro | |
| state: "{{ var_samba_export_all_ro }}" | |
| persistent: yes | |
| tags: | |
| - sebool_samba_export_all_ro | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_samba_export_all_ro:var:1" value-id="xccdf_org.ssgproject.content_value_var_samba_export_all_ro"/> | |
| <check-content-ref name="oval:ssg-sebool_samba_export_all_ro:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_samba_export_all_ro_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_docker_connect_any" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the docker_connect_any SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">docker_connect_any</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">docker_connect_any</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P docker_connect_any off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_docker_connect_any" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_docker_connect_any="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_docker_connect_any" use="legacy"/>" | |
| setsebool -P docker_connect_any $var_docker_connect_any | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_docker_connect_any" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_docker_connect_any # promote to variable | |
| set_fact: | |
| var_docker_connect_any: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_docker_connect_any" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean docker_connect_any accordingly | |
| seboolean: | |
| name: docker_connect_any | |
| state: "{{ var_docker_connect_any }}" | |
| persistent: yes | |
| tags: | |
| - sebool_docker_connect_any | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_docker_connect_any:var:1" value-id="xccdf_org.ssgproject.content_value_var_docker_connect_any"/> | |
| <check-content-ref name="oval:ssg-sebool_docker_connect_any:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_docker_connect_any_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_sftpd_write_ssh_home" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the sftpd_write_ssh_home SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_write_ssh_home</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">sftpd_write_ssh_home</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P sftpd_write_ssh_home off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_write_ssh_home" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_sftpd_write_ssh_home="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_write_ssh_home" use="legacy"/>" | |
| setsebool -P sftpd_write_ssh_home $var_sftpd_write_ssh_home | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_sftpd_write_ssh_home" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_sftpd_write_ssh_home # promote to variable | |
| set_fact: | |
| var_sftpd_write_ssh_home: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sftpd_write_ssh_home" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean sftpd_write_ssh_home accordingly | |
| seboolean: | |
| name: sftpd_write_ssh_home | |
| state: "{{ var_sftpd_write_ssh_home }}" | |
| persistent: yes | |
| tags: | |
| - sebool_sftpd_write_ssh_home | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_sftpd_write_ssh_home:var:1" value-id="xccdf_org.ssgproject.content_value_var_sftpd_write_ssh_home"/> | |
| <check-content-ref name="oval:ssg-sebool_sftpd_write_ssh_home:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_sftpd_write_ssh_home_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_nagios_run_pnp4nagios" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the nagios_run_pnp4nagios SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">nagios_run_pnp4nagios</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">nagios_run_pnp4nagios</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P nagios_run_pnp4nagios off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nagios_run_pnp4nagios" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_nagios_run_pnp4nagios="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios" use="legacy"/>" | |
| setsebool -P nagios_run_pnp4nagios $var_nagios_run_pnp4nagios | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_nagios_run_pnp4nagios" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_nagios_run_pnp4nagios # promote to variable | |
| set_fact: | |
| var_nagios_run_pnp4nagios: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean nagios_run_pnp4nagios accordingly | |
| seboolean: | |
| name: nagios_run_pnp4nagios | |
| state: "{{ var_nagios_run_pnp4nagios }}" | |
| persistent: yes | |
| tags: | |
| - sebool_nagios_run_pnp4nagios | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_nagios_run_pnp4nagios:var:1" value-id="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios"/> | |
| <check-content-ref name="oval:ssg-sebool_nagios_run_pnp4nagios:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_nagios_run_pnp4nagios_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_daemons_dump_core" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the daemons_dump_core SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">daemons_dump_core</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">daemons_dump_core</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P daemons_dump_core off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_daemons_dump_core" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_daemons_dump_core="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_daemons_dump_core" use="legacy"/>" | |
| setsebool -P daemons_dump_core $var_daemons_dump_core | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_daemons_dump_core" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_daemons_dump_core # promote to variable | |
| set_fact: | |
| var_daemons_dump_core: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_daemons_dump_core" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean daemons_dump_core accordingly | |
| seboolean: | |
| name: daemons_dump_core | |
| state: "{{ var_daemons_dump_core }}" | |
| persistent: yes | |
| tags: | |
| - sebool_daemons_dump_core | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_daemons_dump_core:var:1" value-id="xccdf_org.ssgproject.content_value_var_daemons_dump_core"/> | |
| <check-content-ref name="oval:ssg-sebool_daemons_dump_core:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_daemons_dump_core_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_ftpd_use_cifs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the ftpd_use_cifs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_use_cifs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">ftpd_use_cifs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P ftpd_use_cifs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_use_cifs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_ftpd_use_cifs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_use_cifs" use="legacy"/>" | |
| setsebool -P ftpd_use_cifs $var_ftpd_use_cifs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_ftpd_use_cifs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_ftpd_use_cifs # promote to variable | |
| set_fact: | |
| var_ftpd_use_cifs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_ftpd_use_cifs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean ftpd_use_cifs accordingly | |
| seboolean: | |
| name: ftpd_use_cifs | |
| state: "{{ var_ftpd_use_cifs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_ftpd_use_cifs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_ftpd_use_cifs:var:1" value-id="xccdf_org.ssgproject.content_value_var_ftpd_use_cifs"/> | |
| <check-content-ref name="oval:ssg-sebool_ftpd_use_cifs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_ftpd_use_cifs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_cdrecord_read_content" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the cdrecord_read_content SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">cdrecord_read_content</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">cdrecord_read_content</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P cdrecord_read_content off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cdrecord_read_content" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_cdrecord_read_content="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cdrecord_read_content" use="legacy"/>" | |
| setsebool -P cdrecord_read_content $var_cdrecord_read_content | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_cdrecord_read_content" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_cdrecord_read_content # promote to variable | |
| set_fact: | |
| var_cdrecord_read_content: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_cdrecord_read_content" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean cdrecord_read_content accordingly | |
| seboolean: | |
| name: cdrecord_read_content | |
| state: "{{ var_cdrecord_read_content }}" | |
| persistent: yes | |
| tags: | |
| - sebool_cdrecord_read_content | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_cdrecord_read_content:var:1" value-id="xccdf_org.ssgproject.content_value_var_cdrecord_read_content"/> | |
| <check-content-ref name="oval:ssg-sebool_cdrecord_read_content:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_cdrecord_read_content_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_mod_auth_pam" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_mod_auth_pam SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_mod_auth_pam</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_mod_auth_pam</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_mod_auth_pam off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_mod_auth_pam" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_mod_auth_pam="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam" use="legacy"/>" | |
| setsebool -P httpd_mod_auth_pam $var_httpd_mod_auth_pam | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_mod_auth_pam" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_mod_auth_pam # promote to variable | |
| set_fact: | |
| var_httpd_mod_auth_pam: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_mod_auth_pam accordingly | |
| seboolean: | |
| name: httpd_mod_auth_pam | |
| state: "{{ var_httpd_mod_auth_pam }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_mod_auth_pam | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_mod_auth_pam:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_mod_auth_pam:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_mod_auth_pam_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_enable_ftp_server" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_enable_ftp_server SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_enable_ftp_server</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_enable_ftp_server</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_enable_ftp_server off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_enable_ftp_server" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_enable_ftp_server="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server" use="legacy"/>" | |
| setsebool -P httpd_enable_ftp_server $var_httpd_enable_ftp_server | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_enable_ftp_server" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_httpd_enable_ftp_server # promote to variable | |
| set_fact: | |
| var_httpd_enable_ftp_server: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean httpd_enable_ftp_server accordingly | |
| seboolean: | |
| name: httpd_enable_ftp_server | |
| state: "{{ var_httpd_enable_ftp_server }}" | |
| persistent: yes | |
| tags: | |
| - sebool_httpd_enable_ftp_server | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_httpd_enable_ftp_server:var:1" value-id="xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server"/> | |
| <check-content-ref name="oval:ssg-sebool_httpd_enable_ftp_server:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_httpd_enable_ftp_server_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_postgresql_selinux_transmit_client_label" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the postgresql_selinux_transmit_client_label SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">postgresql_selinux_transmit_client_label</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">postgresql_selinux_transmit_client_label</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P postgresql_selinux_transmit_client_label off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_postgresql_selinux_transmit_client_label" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_postgresql_selinux_transmit_client_label="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label" use="legacy"/>" | |
| setsebool -P postgresql_selinux_transmit_client_label $var_postgresql_selinux_transmit_client_label | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_postgresql_selinux_transmit_client_label" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_postgresql_selinux_transmit_client_label # promote to variable | |
| set_fact: | |
| var_postgresql_selinux_transmit_client_label: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean postgresql_selinux_transmit_client_label accordingly | |
| seboolean: | |
| name: postgresql_selinux_transmit_client_label | |
| state: "{{ var_postgresql_selinux_transmit_client_label }}" | |
| persistent: yes | |
| tags: | |
| - sebool_postgresql_selinux_transmit_client_label | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_postgresql_selinux_transmit_client_label:var:1" value-id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label"/> | |
| <check-content-ref name="oval:ssg-sebool_postgresql_selinux_transmit_client_label:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_postgresql_selinux_transmit_client_label_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mock_enable_homedirs" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mock_enable_homedirs SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mock_enable_homedirs</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mock_enable_homedirs</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mock_enable_homedirs off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mock_enable_homedirs" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mock_enable_homedirs="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mock_enable_homedirs" use="legacy"/>" | |
| setsebool -P mock_enable_homedirs $var_mock_enable_homedirs | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mock_enable_homedirs" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mock_enable_homedirs # promote to variable | |
| set_fact: | |
| var_mock_enable_homedirs: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mock_enable_homedirs" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mock_enable_homedirs accordingly | |
| seboolean: | |
| name: mock_enable_homedirs | |
| state: "{{ var_mock_enable_homedirs }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mock_enable_homedirs | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mock_enable_homedirs:var:1" value-id="xccdf_org.ssgproject.content_value_var_mock_enable_homedirs"/> | |
| <check-content-ref name="oval:ssg-sebool_mock_enable_homedirs:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mock_enable_homedirs_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_logging_syslogd_can_sendmail" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the logging_syslogd_can_sendmail SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">logging_syslogd_can_sendmail</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">logging_syslogd_can_sendmail</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P logging_syslogd_can_sendmail off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_logging_syslogd_can_sendmail" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_logging_syslogd_can_sendmail="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail" use="legacy"/>" | |
| setsebool -P logging_syslogd_can_sendmail $var_logging_syslogd_can_sendmail | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_logging_syslogd_can_sendmail" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_logging_syslogd_can_sendmail # promote to variable | |
| set_fact: | |
| var_logging_syslogd_can_sendmail: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean logging_syslogd_can_sendmail accordingly | |
| seboolean: | |
| name: logging_syslogd_can_sendmail | |
| state: "{{ var_logging_syslogd_can_sendmail }}" | |
| persistent: yes | |
| tags: | |
| - sebool_logging_syslogd_can_sendmail | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_logging_syslogd_can_sendmail:var:1" value-id="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail"/> | |
| <check-content-ref name="oval:ssg-sebool_logging_syslogd_can_sendmail:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_logging_syslogd_can_sendmail_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_dhcpd_use_ldap" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the dhcpd_use_ldap SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhcpd_use_ldap</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">dhcpd_use_ldap</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P dhcpd_use_ldap off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_dhcpd_use_ldap" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_dhcpd_use_ldap="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap" use="legacy"/>" | |
| setsebool -P dhcpd_use_ldap $var_dhcpd_use_ldap | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_dhcpd_use_ldap" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_dhcpd_use_ldap # promote to variable | |
| set_fact: | |
| var_dhcpd_use_ldap: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean dhcpd_use_ldap accordingly | |
| seboolean: | |
| name: dhcpd_use_ldap | |
| state: "{{ var_dhcpd_use_ldap }}" | |
| persistent: yes | |
| tags: | |
| - sebool_dhcpd_use_ldap | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_dhcpd_use_ldap:var:1" value-id="xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap"/> | |
| <check-content-ref name="oval:ssg-sebool_dhcpd_use_ldap:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_dhcpd_use_ldap_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_virt_use_samba" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the virt_use_samba SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_use_samba</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">virt_use_samba</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P virt_use_samba off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_use_samba" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_virt_use_samba="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_use_samba" use="legacy"/>" | |
| setsebool -P virt_use_samba $var_virt_use_samba | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_virt_use_samba" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_virt_use_samba # promote to variable | |
| set_fact: | |
| var_virt_use_samba: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_virt_use_samba" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean virt_use_samba accordingly | |
| seboolean: | |
| name: virt_use_samba | |
| state: "{{ var_virt_use_samba }}" | |
| persistent: yes | |
| tags: | |
| - sebool_virt_use_samba | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_virt_use_samba:var:1" value-id="xccdf_org.ssgproject.content_value_var_virt_use_samba"/> | |
| <check-content-ref name="oval:ssg-sebool_virt_use_samba:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_virt_use_samba_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_mozilla_plugin_bind_unreserved_ports" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the mozilla_plugin_bind_unreserved_ports SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">mozilla_plugin_bind_unreserved_ports</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">mozilla_plugin_bind_unreserved_ports</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P mozilla_plugin_bind_unreserved_ports off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mozilla_plugin_bind_unreserved_ports" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_mozilla_plugin_bind_unreserved_ports="<sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports" use="legacy"/>" | |
| setsebool -P mozilla_plugin_bind_unreserved_ports $var_mozilla_plugin_bind_unreserved_ports | |
| </fix> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_mozilla_plugin_bind_unreserved_ports" system="urn:xccdf:fix:script:ansible" complexity="low" disruption="low" strategy="enable">- name: XCCDF Value var_mozilla_plugin_bind_unreserved_ports # promote to variable | |
| set_fact: | |
| var_mozilla_plugin_bind_unreserved_ports: !!str |- | |
| <sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports" use="legacy"/> | |
| tags: | |
| - always | |
| - name: Ensure libsemanage-python installed | |
| package: | |
| name: libsemanage-python | |
| state: latest | |
| - name: Set SELinux boolean mozilla_plugin_bind_unreserved_ports accordingly | |
| seboolean: | |
| name: mozilla_plugin_bind_unreserved_ports | |
| state: "{{ var_mozilla_plugin_bind_unreserved_ports }}" | |
| persistent: yes | |
| tags: | |
| - sebool_mozilla_plugin_bind_unreserved_ports | |
| - medium_severity | |
| - enable_strategy | |
| - low_complexity | |
| - low_disruption | |
| </fix> | |
| <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> | |
| <check-export export-name="oval:ssg-var_mozilla_plugin_bind_unreserved_ports:var:1" value-id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports"/> | |
| <check-content-ref name="oval:ssg-sebool_mozilla_plugin_bind_unreserved_ports:def:1" href="ssg-rhel7-oval.xml"/> | |
| </check> | |
| <check system="http://scap.nist.gov/schema/ocil/2"> | |
| <check-content-ref name="ocil:ssg-sebool_mozilla_plugin_bind_unreserved_ports_ocil:questionnaire:1" href="ssg-rhel7-ocil.xml"/> | |
| </check> | |
| </Rule> | |
| <Rule id="xccdf_org.ssgproject.content_rule_sebool_httpd_verify_dns" selected="false" severity="medium"> | |
| <title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Disable the httpd_verify_dns SELinux Boolean</title> | |
| <description xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">By default, the SELinux boolean <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_verify_dns</html:code> is disabled. | |
| If this setting is enabled, it should be disabled. | |
| To disable the <html:code xmlns:html="http://www.w3.org/1999/xhtml">httpd_verify_dns</html:code> SELinux boolean, run the following command: | |
| <html:pre xmlns:html="http://www.w3.org/1999/xhtml">$ sudo setsebool -P httpd_verify_dns off</html:pre></description> | |
| <rationale xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US"/> | |
| <fix xmlns:xhtml="http://www.w3.org/1999/xhtml" id="sebool_httpd_verify_dns" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="enable"> | |
| var_httpd_verify_dns= |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment