Skip to content

Instantly share code, notes, and snippets.

@pysysops

pysysops/ssg-centos7-ds.xml

Last active May 26, 2017 10:49
Show Gist options
  • Save pysysops/afb2d3ba5af39c14b61f438b76b97414 to your computer and use it in GitHub Desktop.
Save pysysops/afb2d3ba5af39c14b61f438b76b97414 to your computer and use it in GitHub Desktop.
Download ZIP
CentOS 7 SCAP Security Guide
Raw
ssg-centos7-ds.xml
This file has been truncated, but you can view the full file.
<ns0:data-stream-collection xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ns0="http://scap.nist.gov/schema/scap/source/1.2" xmlns:ns1="http://www.w3.org/1999/xlink" xmlns:ns10="http://checklists.nist.gov/xccdf/1.2" xmlns:ns12="http://www.w3.org/2000/svg" xmlns:ns14="http://cpe.mitre.org/dictionary/2.0" xmlns:ns2="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ns6="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:ns7="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ns8="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:ns9="http://scap.nist.gov/schema/ocil/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-rhel7-xccdf-1.2.xml" schematron-version="1.2">
<ns0:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-rhel7-xccdf-1.2.xml" scap-version="1.2" use-case="OTHER">
<ns0:dictionaries>
<ns0:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7-cpe-dictionary.xml" ns1:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpe-dictionary.xml">
<ns2:catalog>
<ns2:uri name="ssg-rhel7-cpe-oval.xml" uri="#scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml" />
</ns2:catalog>
</ns0:component-ref>
</ns0:dictionaries>
<ns0:checklists>
<ns0:component-ref id="scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml" ns1:href="#scap_org.open-scap_comp_ssg-rhel7-xccdf-1.2.xml">
<ns2:catalog>
<ns2:uri name="ssg-rhel7-oval.xml" uri="#scap_org.open-scap_cref_ssg-rhel7-oval.xml" />
<ns2:uri name="ssg-rhel7-ocil.xml" uri="#scap_org.open-scap_cref_ssg-rhel7-ocil.xml" />
</ns2:catalog>
</ns0:component-ref>
</ns0:checklists>
<ns0:checks>
<ns0:component-ref id="scap_org.open-scap_cref_ssg-rhel7-oval.xml" ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml" />
<ns0:component-ref id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml" ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml" />
<ns0:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7-cpe-oval.xml" ns1:href="#scap_org.open-scap_comp_output--ssg-rhel7-cpe-oval.xml" />
<ns0:component-ref id="scap_org.open-scap_cref_output--ssg-rhel7-oval.xml" ns1:href="#scap_org.open-scap_comp_output--ssg-rhel7-oval.xml" /></ns0:checks>
</ns0:data-stream>
<ns0:component id="scap_org.open-scap_comp_ssg-rhel7-oval.xml" timestamp="2017-03-03T10:48:22">
<ns3:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<ns3:generator>
<ns5:product_name>python</ns5:product_name>
<ns5:product_version>2.7.5</ns5:product_version>
<ns5:schema_version>5.11</ns5:schema_version>
<ns5:timestamp>2017-03-03T10:48:17</ns5:timestamp>
</ns3:generator>
<ns3:definitions>
<ns3:definition class="compliance" id="oval:ssg-account_disable_post_pw_expiration:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Accounts to Expire Following Password Expiration</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The accounts should be configured to expire automatically following password expiration.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="account_disable_post_pw_expiration" source="ssg" /></ns3:metadata>
<ns3:criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd">
<ns3:criterion test_ref="oval:ssg-test_etc_default_useradd_inactive:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-account_unique_name:def:1" version="1">
<ns3:metadata>
<ns3:title>Set All Accounts To Have Unique Names</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>All accounts on the system should have unique names for proper accountability.</ns3:description>
<ns3:reference ref_id="RHEL6_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="account_unique_name" source="ssg" /></ns3:metadata>
<ns3:criteria comment="There should not exist duplicate user name entries in /etc/passwd">
<ns3:criterion test_ref="oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_max_concurrent_login_sessions:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Maximum Number of Concurrent Login Sessions Per User</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The maximum number of concurrent login sessions per user should meet
minimum requirements.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="accounts_max_concurrent_login_sessions" source="ssg" /></ns3:metadata>
<ns3:criteria comment="the value maxlogins should be set appropriately in /etc/security/limits.conf">
<ns3:criterion test_ref="oval:ssg-test_maxlogins:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_maximum_age_login_defs:def:1" version="3">
<ns3:metadata>
<ns3:title>Set Password Expiration Parameters</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The maximum password age policy should meet minimum requirements.</ns3:description>
<ns3:reference ref_id="RHEL6_20150130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_maximum_age_login_defs" source="ssg" /></ns3:metadata>
<ns3:criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
<ns3:criterion test_ref="oval:ssg-test_pass_max_days:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_minimum_age_login_defs:def:1" version="3">
<ns3:metadata>
<ns3:title>Set Password Expiration Parameters</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The minimum password age policy should be set appropriately.</ns3:description>
<ns3:reference ref_id="RHEL6_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_minimum_age_login_defs" source="ssg" /></ns3:metadata>
<ns3:criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
<ns3:criterion test_ref="oval:ssg-test_pass_min_days:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_no_uid_except_zero:def:1" version="1">
<ns3:metadata>
<ns3:title>UID 0 Belongs Only To Root</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Only the root account should be assigned a user id of 0.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="accounts_no_uid_except_zero" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg-test_accounts_no_uid_except_root:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_all_shadowed:def:1" version="1">
<ns3:metadata>
<ns3:title>All Password Hashes Shadowed</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>All password hashes should be shadowed.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_password_all_shadowed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="password hashes are shadowed" test_ref="oval:ssg-test_accounts_password_all_shadowed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_minlen_login_defs:def:1" version="3">
<ns3:metadata>
<ns3:title>Set Password Expiration Parameters</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The password minimum length should be set appropriately.</ns3:description>
<ns3:reference ref_id="RHEL6_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_password_minlen_login_defs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_pass_min_len:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_dcredit:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password dcredit Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password dcredit should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_dcredit" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for dcredit are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_dcredit:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_difok:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Password difok Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password difok should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_difok" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for difok are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_difok:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_lcredit:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Password lcredit Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password lcredit should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20140926" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_password_pam_lcredit" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for lcredit are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_lcredit:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_maxclassrepeat:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password maxclassrepeat Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password maxclassrepeat should meet minimum
requirements using pam_pwquality</ns3:description>
<ns3:reference ref_id="20160227" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_password_pam_maxclassrepeat" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for maxclassrepeat are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_maxrepeat:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password maxrepeat Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password maxrepeat should meet minimum
requirements using pam_pwquality</ns3:description>
<ns3:reference ref_id="20141006" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_maxrepeat" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for maxrepeat are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_minclass:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password minclass Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password minclass should meet the minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_minclass" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for minclass are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_minclass:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_minlen:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password minlen Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password minlen should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_minlen" source="ssg" /></ns3:metadata>
<ns3:criteria comment="system uses pam_pwquality configured" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pam_pwquality" test_ref="oval:ssg-test_password_pam_pwquality_minlen:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_ocredit:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Password ocredit Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password ocredit should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_ocredit" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for ocredit are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_ocredit:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_pwquality:def:1" version="1">
<ns3:metadata>
<ns3:title>Check pam_pwquality Existence in system-auth</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Check that pam_pwquality.so exists in system-auth</ns3:description>
<ns3:reference ref_id="RHEL7_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_password_pam_pwquality" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg-test_password_pam_pwquality:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_retry:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password retry Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>The password retry should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20140925" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_password_pam_retry" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Conditions for retry are satisfied" operator="OR">
<ns3:criteria comment="system is RHEL6 with pam_cracklib configured" operator="AND">
<ns3:extend_definition comment="RHEL6 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel6:def:1" />
<ns3:criterion comment="rhel6 pam_cracklib" test_ref="oval:ssg-test_password_pam_cracklib_retry:tst:1" />
</ns3:criteria>
<ns3:criteria comment="system is RHEL7 with pam_pwquality configured" operator="AND">
<ns3:extend_definition comment="RHEL7 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1" />
<ns3:criterion comment="rhel7 pam_pwquality" test_ref="oval:ssg-test_password_pam_pwquality_retry:tst:1" />
</ns3:criteria>
<ns3:criteria comment="system is Fedora with pam_pwquality configured" operator="AND">
<ns3:extend_definition comment="Fedora OS installed" definition_ref="oval:ssg-installed_OS_is_fedora:def:1" />
<ns3:criterion comment="Fedora pam_pwquality" test_ref="oval:ssg-test_password_pam_pwquality_retry:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_ucredit:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Password ucredit Requirements</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The password ucredit should meet minimum requirements</ns3:description>
<ns3:reference ref_id="20141010" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_password_pam_ucredit" source="ssg" /></ns3:metadata>
<ns3:criteria comment="conditions for ucredit are satisfied" operator="AND">
<ns3:extend_definition comment="pwquality.so exists in system-auth" definition_ref="oval:ssg-accounts_password_pam_pwquality:def:1" />
<ns3:criterion comment="pwquality.conf" test_ref="oval:ssg-test_password_pam_pwquality_ucredit:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_pam_unix_remember:def:1" version="2">
<ns3:metadata>
<ns3:title>Limit Password Reuse</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The passwords to remember should be set correctly.</ns3:description>
<ns3:reference ref_id="RHEL6_20131025" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="SDW" />
<ns3:reference ref_id="RHEL7_20150929" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150929" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_password_pam_unix_remember" source="ssg" /></ns3:metadata>
<ns3:criteria comment="remember parameter of pam_unix.so or pam_pwhistory.so is set correctly" operator="OR">
<ns3:criterion comment="remember parameter of pam_unix.so is set correctly" test_ref="oval:ssg-test_accounts_password_pam_unix_remember:tst:1" />
<ns3:criterion comment="remember parameter of pam_pwhistory.so is set correctly" test_ref="oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_password_warn_age_login_defs:def:1" version="3">
<ns3:metadata>
<ns3:title>Set Password Expiration Parameters</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The password expiration warning age should be set appropriately.</ns3:description>
<ns3:reference ref_id="RHEL6_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_password_warn_age_login_defs" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_pass_warn_age:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_passwords_pam_faillock_deny:def:1" version="4">
<ns3:metadata>
<ns3:title>Lock out account after failed login attempts</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The number of allowed failed logins should be set correctly.</ns3:description>
<ns3:reference ref_id="RHEL6_20150122" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150122" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150122" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_passwords_pam_faillock_deny" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="pam_faillock.so preauth silent set in system-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so authfail deny value set in system-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so set in account phase of system-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so preauth silent set in password-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so authfail deny value set in password-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so set in account phase of password-auth" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_passwords_pam_faillock_interval:def:1" version="2">
<ns3:metadata>
<ns3:title>Lock out account after failed login attempts</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The number of allowed failed logins should be set correctly.</ns3:description>
<ns3:reference ref_id="20131025" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_passwords_pam_faillock_interval" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="preauth default is set to 900" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1" />
<ns3:criterion comment="authfail default is set to 900" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1" />
<ns3:criterion comment="authfail default is set to 900" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1" />
<ns3:criterion comment="preauth default is set to 900" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_passwords_pam_faillock_unlock_time:def:1" version="2">
<ns3:metadata>
<ns3:title>Lock out account after failed login attempts</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The number of allowed failed logins should be set correctly.</ns3:description>
<ns3:reference ref_id="RHEL6_20150515" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150515" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150515" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_passwords_pam_faillock_unlock_time" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="preauth default is set to 604800" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system-auth:tst:1" />
<ns3:criterion comment="authfail default is set to 604800" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:tst:1" />
<ns3:criterion comment="authfail default is set to 604800" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password-auth:tst:1" />
<ns3:criterion comment="preauth default is set to 604800" test_ref="oval:ssg-test_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_root_path_dirs_no_write:def:1" version="2">
<ns3:metadata>
<ns3:title>Write permissions are disabled for group and other in all
directories in Root's Path</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Check each directory in root's path and make use it does
not grant write permission to group and other</ns3:description>
<ns3:reference ref_id="RHEL6_20141119" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20141119" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20141119" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_root_path_dirs_no_write" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Check that write permission to group and other in root's path is denied">
<ns3:criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_tmout:def:1" version="2">
<ns3:metadata>
<ns3:title>Set Interactive Session Timeout</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Checks interactive shell timeout</ns3:description>
<ns3:reference ref_id="20160227" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="accounts_tmout" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="TMOUT value in /etc/profile &gt;= var_accounts_tmout" test_ref="oval:ssg-test_etc_profile_tmout:tst:1" />
<ns3:criterion comment="TMOUT value in /etc/profile.d/*.sh &gt;= var_accounts_tmout" test_ref="oval:ssg-test_etc_profiled_tmout:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_umask_etc_bashrc:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure that Users Have Sensible Umask Values set for bash</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The default umask for users of the bash shell</ns3:description>
<ns3:reference ref_id="RHEL6_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_umask_etc_bashrc" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-tst_accounts_umask_etc_bashrc:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_umask_etc_csh_cshrc:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure that Users Have Sensible Umask Values set for csh</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The default umask for users of the csh shell</ns3:description>
<ns3:reference ref_id="RHEL6_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_umask_etc_csh_cshrc" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_umask_etc_login_defs:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure that Users Have Sensible Umask Values in /etc/login.defs</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The default umask for all users specified in /etc/login.defs</ns3:description>
<ns3:reference ref_id="RHEL6_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_umask_etc_login_defs" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-tst_accounts_umask_etc_login_defs:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_umask_etc_profile:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure that Users Have Sensible Umask Values in /etc/profile</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The default umask for all users should be set correctly</ns3:description>
<ns3:reference ref_id="RHEL6_20140905" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140905" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="accounts_umask_etc_profile" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-tst_accounts_umask_etc_profile:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-aide_build_database:def:1" version="2">
<ns3:metadata>
<ns3:title>Aide Database Must Exist</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>CentOS 4</ns3:platform>
<ns3:platform>CentOS 5</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 4</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 5</ns3:platform>
</ns3:affected>
<ns3:description>The aide database must be initialized.</ns3:description>
<ns3:reference ref_id="RHEL6_20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="aide_build_database" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_aide_build_database_absolute_path:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-aide_periodic_cron_checking:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure Periodic Execution of AIDE</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>By default, AIDE does not install itself for periodic
execution. Periodically running AIDE is necessary to reveal
unexpected changes in installed files.
</ns3:description>
<ns3:reference ref_id="20140808" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="aide_periodic_cron_checking" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="Aide is installed" definition_ref="oval:ssg-package_aide_installed:def:1" />
<ns3:criteria operator="OR">
<ns3:criterion comment="run aide daily with cron" test_ref="oval:ssg-test_aide_periodic_cron_checking:tst:1" />
<ns3:criterion comment="run aide daily with cron" test_ref="oval:ssg-test_aide_crond_checking:tst:1" />
<ns3:criterion comment="run aide daily with cron" test_ref="oval:ssg-test_aide_var_cron_checking:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_chmod:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - chmod</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_chmod" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_chmod_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit chmod" test_ref="oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit chmod" test_ref="oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_chmod_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit chmod" test_ref="oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit chmod" test_ref="oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_chown:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - chown</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_chown" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_chown_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit chown" test_ref="oval:ssg-test_32bit_ardm_chown_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit chown" test_ref="oval:ssg-test_64bit_ardm_chown_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_chown_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit chown" test_ref="oval:ssg-test_32bit_ardm_chown_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit chown" test_ref="oval:ssg-test_64bit_ardm_chown_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchmod:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fchmod</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150421" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fchmod" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fchmod_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fchmod" test_ref="oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fchmod" test_ref="oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fchmod_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fchmod" test_ref="oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fchmod" test_ref="oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchmodat:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fchmodat</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150420" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150420" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fchmodat" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fchmodat_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fchmodat" test_ref="oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fchmodat" test_ref="oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fchmodat_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fchmodat" test_ref="oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fchmodat" test_ref="oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchown:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fchown</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fchown" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fchown_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fchown" test_ref="oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fchown" test_ref="oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fchown_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fchown" test_ref="oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fchown" test_ref="oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchownat:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fchownat</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fchownat" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fchownat_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fchownat" test_ref="oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fchownat" test_ref="oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fchownat_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fchownat" test_ref="oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fchownat" test_ref="oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fremovexattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fremovexattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fremovexattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fremovexattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fremovexattr" test_ref="oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fremovexattr" test_ref="oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fremovexattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fremovexattr" test_ref="oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fremovexattr" test_ref="oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fsetxattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - fsetxattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_fsetxattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_fsetxattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit fsetxattr" test_ref="oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit fsetxattr" test_ref="oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_fsetxattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit fsetxattr" test_ref="oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit fsetxattr" test_ref="oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lchown:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - lchown</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_lchown" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_lchown_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit lchown" test_ref="oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit lchown" test_ref="oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_lchown_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit lchown" test_ref="oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit lchown" test_ref="oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lremovexattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - lremovexattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_lremovexattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_lremovexattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit lremovexattr" test_ref="oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit lremovexattr" test_ref="oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_lremovexattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit lremovexattr" test_ref="oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit lremovexattr" test_ref="oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lsetxattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - lsetxattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_lsetxattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_lsetxattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit lsetxattr" test_ref="oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit lsetxattr" test_ref="oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_lsetxattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit lsetxattr" test_ref="oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit lsetxattr" test_ref="oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_removexattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - removexattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_removexattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_removexattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit removexattr" test_ref="oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit removexattr" test_ref="oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_removexattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit removexattr" test_ref="oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit removexattr" test_ref="oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_setxattr:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Discretionary Access Control Modification Events - setxattr</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The changing of file permissions and attributes should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_dac_modification_setxattr" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ardm_setxattr_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit setxattr" test_ref="oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit setxattr" test_ref="oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ardm_setxattr_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit setxattr" test_ref="oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit setxattr" test_ref="oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit File Deletion Events</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit files deletion events.</ns3:description>
<ns3:reference ref_id="RHEL7_20150326" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150326" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_file_deletion_events" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_file_deletion_events_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules file delete" test_ref="oval:ssg-test_audit_rules_file_deletion_events_file_delete_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_file_deletion_events_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl file delete" test_ref="oval:ssg-test_audit_rules_file_deletion_events_file_delete_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_immutable:def:1" version="1">
<ns3:metadata>
<ns3:title>Make Audit Configuration Immutable</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Force a reboot to change audit rules is enabled</ns3:description>
<ns3:reference ref_id="RHEL7_20150518" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150518" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_immutable" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_ari_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules configuration locked" test_ref="oval:ssg-test_ari_locked_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_ari_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl configuration locked" test_ref="oval:ssg-test_ari_locked_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_kernel_module_loading:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Kernel Module Loading and Unloading</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The audit rules should be configured to log information about kernel module loading and unloading.</ns3:description>
<ns3:reference ref_id="RHEL7_20150325" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150325" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_kernel_module_loading" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules insmod" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_insmod_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules rmmod" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_rmmod_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules modprobe" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_modprobe_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules module syscalls" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_syscall_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl insmod" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_insmod_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl rmmod" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_rmmod_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl modprobe" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_modprobe_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl module syscalls" test_ref="oval:ssg-test_audit_rule_kernel_module_loading_syscall_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_login_events:def:1" version="2">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Login and Logout Events</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules should be configured to log successful and unsuccessful login and logout events.</ns3:description>
<ns3:reference ref_id="RHEL7_20150926" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150926" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_login_events" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_arle_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules tallylog" test_ref="oval:ssg-test_arle_tallylog_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules faillock" test_ref="oval:ssg-test_arle_faillock_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules lastlog" test_ref="oval:ssg-test_arle_lastlog_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_arle_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl tallylog" test_ref="oval:ssg-test_arle_tallylog_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl faillock" test_ref="oval:ssg-test_arle_faillock_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl lastlog" test_ref="oval:ssg-test_arle_lastlog_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_mac_modification:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Events that Modify the System's Mandatory Access Controls</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20150424" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150424" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_mac_modification" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_armm_augenrules:tst:1" />
<ns3:criterion comment="audit selinux changes augenrules" test_ref="oval:ssg-test_armm_selinux_watch_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_armm_auditctl:tst:1" />
<ns3:criterion comment="audit selinux changes auditctl" test_ref="oval:ssg-test_armm_selinux_watch_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_media_export:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit Information Export To Media</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules that detect the mounting of filesystems should be enabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20150327" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150327" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_media_export" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_media_export_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules mount" test_ref="oval:ssg-test_audit_rules_media_export_mount_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_media_export_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl mount" test_ref="oval:ssg-test_audit_rules_media_export_mount_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Events that Modify the System's Network Environment</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The network environment should not be modified by anything other than
administrator action. Any change to network parameters should be audited.</ns3:description>
<ns3:reference ref_id="RHEL7_20150424" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150424" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_networkconfig_modification" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_arnm_augenrules:tst:1" />
<ns3:criterion comment="audit network syscalls augenrules" test_ref="oval:ssg-test_arnm_syscall_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/issue augenrules" test_ref="oval:ssg-test_arnm_etc_issue_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/issue.net augenrules" test_ref="oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/hosts augenrules" test_ref="oval:ssg-test_arnm_etc_hosts_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/sysconfig/network augenrules" test_ref="oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_arnm_auditctl:tst:1" />
<ns3:criterion comment="audit network syscalls auditctl" test_ref="oval:ssg-test_arnm_syscall_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/issue auditctl" test_ref="oval:ssg-test_arnm_etc_issue_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/issue.net auditctl" test_ref="oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/hosts auditctl" test_ref="oval:ssg-test_arnm_etc_hosts_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/sysconfig/network auditctl" test_ref="oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure auditd Collects Information on the Use of Privileged Commands</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules about the information on the use of privileged commands are enabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20150420" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150420" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_privileged_commands" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_arpc_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules suid sgid" test_ref="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules binaries count matches rules count" test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_arpc_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl suid sgid" test_ref="oval:ssg-test_arpc_suid_sgid_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl binaries count matches rules count" test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_session_events:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Process and Session Initiation Information</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules should capture information about session initiation.</ns3:description>
<ns3:reference ref_id="RHEL7_20150520" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150520" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_session_events" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_arse_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules utmp" test_ref="oval:ssg-test_arse_utmp_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules btmp" test_ref="oval:ssg-test_arse_btmp_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules wtmp" test_ref="oval:ssg-test_arse_wtmp_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_arse_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl utmp" test_ref="oval:ssg-test_arse_utmp_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl btmp" test_ref="oval:ssg-test_arse_btmp_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl wtmp" test_ref="oval:ssg-test_arse_wtmp_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_sysadmin_actions:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit System Administrator Actions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit actions taken by system administrators on the system.</ns3:description>
<ns3:reference ref_id="RHEL7_20150326" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150326" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_sysadmin_actions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules sudoers" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl sudoers" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_time_adjtimex:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Time Through Adjtimex</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Record attempts to alter time through adjtimex.</ns3:description>
<ns3:reference ref_id="RHEL7_20150429" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150429" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_time_adjtimex" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_art_adjtimex_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit adjtimex" test_ref="oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit adjtimex" test_ref="oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_art_adjtimex_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit adjtimex" test_ref="oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit adjtimex" test_ref="oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_time_clock_settime:def:1" version="2">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Time Through Clock_settime</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Record attempts to alter time through clock_settime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150427" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150427" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_time_clock_settime" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_art_clock_settime_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit clock_settime" test_ref="oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit clock_settime" test_ref="oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_art_clock_settime_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit clock_settime" test_ref="oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit clock_settime" test_ref="oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_time_settimeofday:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Time Through Settimeofday</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Record attempts to alter time through settimeofday.</ns3:description>
<ns3:reference ref_id="RHEL7_20150429" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150429" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_time_settimeofday" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_art_settimeofday_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit settimeofday" test_ref="oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit augenrules 64-bit settimeofday" test_ref="oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_art_settimeofday_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit settimeofday" test_ref="oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criterion comment="audit auditctl 64-bit settimeofday" test_ref="oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_time_stime:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Time Through Stime</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Record attempts to alter time through stime. Note that on
64-bit architectures the stime system call is not defined in the audit
system calls lookup table.</ns3:description>
<ns3:reference ref_id="RHEL7_20150428" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150428" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_time_stime" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criteria comment="32-bit or 64-bit system" operator="OR">
<ns3:extend_definition comment="32-bit system" definition_ref="oval:ssg-system_info_architecture_x86:def:1" />
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" />
</ns3:criteria>
<ns3:criteria comment="audit augenrules or audit auditctl" operator="OR">
<ns3:criteria comment="audit augenrules stime" operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_art_stime_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit stime" test_ref="oval:ssg-test_32bit_art_stime_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria comment="audit auditctl stime" operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_art_stime_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit stime" test_ref="oval:ssg-test_32bit_art_stime_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_time_watch_localtime:def:1" version="1">
<ns3:metadata>
<ns3:title>Record Attempts to Alter Time Through the Localtime File</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Record attempts to alter time through /etc/localtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150427" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150427" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_time_watch_localtime" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_artw_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/localtime watch augenrules" test_ref="oval:ssg-test_artw_etc_localtime_augenrules:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_artw_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/localtime watch auditctl" test_ref="oval:ssg-test_artw_etc_localtime_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20150402" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150402" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="audit_rules_unsuccessful_file_modification" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_arufm_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit file eaccess" test_ref="oval:ssg-test_32bit_arufm_eaccess_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_augenrules:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules 64-bit file eaccess" test_ref="oval:ssg-test_64bit_arufm_eaccess_augenrules:tst:1" />
<ns3:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_augenrules:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_arufm_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit file eaccess" test_ref="oval:ssg-test_32bit_arufm_eaccess_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_auditctl:tst:1" />
<ns3:criteria operator="OR">
<ns3:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl 64-bit file eaccess" test_ref="oval:ssg-test_64bit_arufm_eaccess_auditctl:tst:1" />
<ns3:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification:def:1" version="1">
<ns3:metadata>
<ns3:title>Audit User/Group Modification</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Audit user/group modification.</ns3:description>
<ns3:reference ref_id="RHEL7_20150407" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="FEDORA20_20150407" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="audit_rules_usergroup_modification" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_usergroup_modification_augenrules:tst:1" />
<ns3:criterion comment="audit /etc/group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1" />
<ns3:criterion comment="audit /etc/passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1" />
<ns3:criterion comment="audit /etc/gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1" />
<ns3:criterion comment="audit /etc/shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1" />
<ns3:criterion comment="audit /etc/security/opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_usergroup_modification_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1" />
<ns3:criterion comment="audit /etc/security/opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_audispd_syslog_plugin_activated:def:1" version="1">
<ns3:metadata>
<ns3:title>The syslog Plugin Of the Audit Event Multiplexor (audispd) Is Activated</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>active setting in /etc/audisp/plugins.d/syslog.conf is set to 'yes'</ns3:description>
<ns3:reference ref_id="RHEL6_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_audispd_syslog_plugin_activated" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="active setting in syslog.conf" test_ref="oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_action_mail_acct:def:1" version="2">
<ns3:metadata>
<ns3:title>Auditd Email Account to Notify Upon Action</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account</ns3:description>
<ns3:reference ref_id="RHEL6_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_action_mail_acct" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="action_mail_acct setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_admin_space_left_action:def:1" version="2">
<ns3:metadata>
<ns3:title>Auditd Action to Take When Disk is Low on Space</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action</ns3:description>
<ns3:reference ref_id="RHEL6_20140312" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_admin_space_left_action" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="admin_space_left_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_flush:def:1" version="1">
<ns3:metadata>
<ns3:title>Auditd priority for flushing data to disk</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The setting for flush in /etc/audit/auditd.conf</ns3:description>
<ns3:reference ref_id="20150718" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="PCA" />
<ns3:reference ref_id="auditd_data_retention_flush" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="flush setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_flush:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_max_log_file:def:1" version="2">
<ns3:metadata>
<ns3:title>Auditd Maximum Log File Size</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value</ns3:description>
<ns3:reference ref_id="RHEL6_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_max_log_file" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="max_log_file setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_max_log_file_action:def:1" version="2">
<ns3:metadata>
<ns3:title>Auditd Action to Take When Maximum Log Size Reached</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action</ns3:description>
<ns3:reference ref_id="RHEL6_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_max_log_file_action" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="max_log_file_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_num_logs:def:1" version="2">
<ns3:metadata>
<ns3:title>Auditd Maximum Number of Logs to Retain</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>num_logs setting in /etc/audit/auditd.conf is set to at least a certain value</ns3:description>
<ns3:reference ref_id="RHEL6_20150812" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150812" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150812" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_num_logs" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="num_logs setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_num_logs:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-auditd_data_retention_space_left_action:def:1" version="3">
<ns3:metadata>
<ns3:title>Auditd Action to Take When Disk Starting to Run Low on Space</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>space_left_action setting in /etc/audit/auditd.conf is set to a certain action</ns3:description>
<ns3:reference ref_id="RHEL6_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="auditd_data_retention_space_left_action" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="space_left_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_space_left_action:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-banner_etc_issue:def:1" version="2">
<ns3:metadata>
<ns3:title>System Login Banner Compliance</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The system login banner text should be set correctly.</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="banner_etc_issue" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg-test_banner_etc_issue:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-bootloader_audit_argument:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Look for argument audit=1 in the kernel line in /etc/default/grub.</ns3:description>
<ns3:reference ref_id="RHEL7_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="bootloader_audit_argument" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" test_ref="oval:ssg-test_bootloader_audit_argument:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" test_ref="oval:ssg-test_bootloader_audit_argument_default:tst:1" />
<ns3:criterion comment="check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub" test_ref="oval:ssg-test_bootloader_recovery_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-bootloader_nousb_argument:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Kernel Support for USB via Bootloader Configuration</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Look for 'nousb' argument in the kernel line in /etc/default/grub</ns3:description>
<ns3:reference ref_id="RHEL7_20160209" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160209" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="bootloader_nousb_argument" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check for 'nousb' argument in /etc/default/grub" test_ref="oval:ssg-test_bootloader_nousb_argument:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-bootloader_password:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Boot Loader Password</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The grub2 boot loader should have password protection enabled.</ns3:description>
<ns3:reference ref_id="20140909" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="bootloader_password" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Pass if /boot/grub2/grub.cfg does not exist" test_ref="oval:ssg-test_bootloader_grub_cfg:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="make sure a password is defined in /etc/grub2.cfg" test_ref="oval:ssg-test_bootloader_password:tst:1" />
<ns3:criterion comment="make sure a superuser is defined in /etc/grub2.cfg" test_ref="oval:ssg-test_bootloader_superuser:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-bootloader_uefi_password:def:1" version="1">
<ns3:metadata>
<ns3:title>Set the UEFI Boot Loader Password</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The UEFI grub2 boot loader should have password protection enabled.</ns3:description>
<ns3:reference ref_id="20160609" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="bootloader_uefi_password" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Pass if /boot/efi/EFI/redhat/grub.cfg does not exist" test_ref="oval:ssg-test_bootloader_uefi_grub_cfg:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg" test_ref="oval:ssg-test_bootloader_uefi_password:tst:1" />
<ns3:criterion comment="make sure a superuser is defined in /boot/efi/EFI/redhat/grub.cfg" test_ref="oval:ssg-test_bootloader_uefi_superuser:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-cups_disable_browsing:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Printer Browsing Entirely if Possible</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The CUPS print service can be configured to broadcast a list
of available printers to the network. Other machines on the network, also
running the CUPS print service, can be configured to listen to these
broadcasts and add and configure these printers for immediate use. By
disabling this browsing capability, the machine will no longer generate
or receive such broadcasts.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="cups_disable_browsing" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Ensure remote printer browsing is off" test_ref="oval:ssg-test_cups_disable_browsing_browsing_off:tst:1" />
<ns3:criterion comment="Ensure no incoming printer information packets are allowed" test_ref="oval:ssg-test_cups_disable_browsing_browseallow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-cups_disable_printserver:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Printer Server if Possible</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>By default, locally configured printers will not be shared
over the network, but if this functionality has somehow been enabled,
these recommendations will disable it again. Be sure to disable outgoing
printer list broadcasts, or remote users will still be able to see the
locally configured printers, even if they cannot actually print to them.
To limit print serving to a particular set of users, use the Policy
directive.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="cups_disable_printserver" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Don't use port directive" test_ref="oval:ssg-test_cups_disable_printserver_disable_port:tst:1" />
<ns3:criterion comment="Do use the listen directive" test_ref="oval:ssg-test_cups_disable_printserver_use_listen:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_banner_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable GNOME3 Login Warning Banner</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable the GNOME3 Login warning banner.</ns3:description>
<ns3:reference ref_id="20140823" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_banner_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Enable GUI banner" test_ref="oval:ssg-test_banner_gui_enabled:tst:1" />
<ns3:criterion comment="Prevent user from disabling banner" test_ref="oval:ssg-test_prevent_user_banner_gui_enabled_change:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_automount:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable GNOME3 Automounting</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives)
whenever they are inserted into the system. Disable automount and autorun
within GNOME3.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_automount" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Disable GNOME3 automount/autorun and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable automount in GNOME3" test_ref="oval:ssg-test_dconf_gnome_disable_automount:tst:1" />
<ns3:criterion comment="Disable automount-open in GNOME3" test_ref="oval:ssg-test_dconf_gnome_disable_automount_open:tst:1" />
<ns3:criterion comment="Disable autorun in GNOME3" test_ref="oval:ssg-test_dconf_gnome_disable_autorun:tst:1" />
<ns3:criterion comment="Prevent user from changing automount setting" test_ref="oval:ssg-test_prevent_user_gnome_automount:tst:1" />
<ns3:criterion comment="Prevent user from changing automount-open setting" test_ref="oval:ssg-test_prevent_user_gnome_automount_open:tst:1" />
<ns3:criterion comment="Prevent user from changing autorun setting" test_ref="oval:ssg-test_prevent_user_gnome_autorun:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_ctrlaltdel_reboot:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Ctrl-Alt-Del Reboot Key Sequence in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME3 ctrl-alt-del reboot key sequence in GNOME3.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_ctrlaltdel_reboot" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable Ctrl-Alt-Del" test_ref="oval:ssg-test_disable_gnome_ctrlaltdel:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_enable_ctrlaltdel:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_geolocation:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Geolocation in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable GNOME3 Geolocation for the clock and system.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_geolocation" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable system geolocation" test_ref="oval:ssg-test_disable_sys_geolocation:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_sys_geolocation:tst:1" />
<ns3:criterion comment="Disable clock geolocation" test_ref="oval:ssg-test_disable_clock_geolocation:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_clock_geolocation:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_power_settings:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Power Settings in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable GNOME3 power settings.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_power_settings" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable power settings" test_ref="oval:ssg-test_disable_gnome_power_setting:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_power_setting_change:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_restart_shutdown:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable the GNOME3 Login Restart and Shutdown Buttons</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME3 Login GUI Restart and Shutdown buttons to all users on the login screen.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_restart_shutdown" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Disable GUI shutdown and restart buttons and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable restart and shutdown buttons" test_ref="oval:ssg-test_disable_restart_buttons:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_enable_restart_buttons:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_thumbnailers:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable All GNOME3 Thumbnailers</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The system's default desktop environment, GNOME3, uses a
number of different thumbnailer programs to generate thumbnails for any
new or modified content in an opened folder. Disable the execution of
these thumbnail applications within GNOME3.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_thumbnailers" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Disable Gnome3 Thumbnailers and prevent user from enabling" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable thumbnailers in GNOME3" test_ref="oval:ssg-test_gnome_disable_thumbnailers:tst:1" />
<ns3:criterion comment="prevent user from changing idle delay" test_ref="oval:ssg-test_prevent_user_change_gnome_thumbnailers:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_user_admin:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable User Administration in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable GNOME3's ability to give users some administrative rights.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_user_admin" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable user administration" test_ref="oval:ssg-test_disable_gnome_user_admin:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_enable_admin:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_user_list:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable the GNOME3 Login User List</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME3 GUI listing of all known users on the login screen.</ns3:description>
<ns3:reference ref_id="20140823" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_user_list" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Disable GUI listing of known users and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable user list" test_ref="oval:ssg-test_disable_user_list:tst:1" />
<ns3:criterion comment="Prevent user from disabling banner" test_ref="oval:ssg-test_prevent_user_disable_user_list:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_wifi_create:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable WIFI Network Connection Creation in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME3 wireless network creation settings.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_wifi_create" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable wifi creation" test_ref="oval:ssg-test_disable_wifi_creation:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_enable_wifi_creation:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_disable_wifi_notification:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable WIFI Network Notification in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME3 wireless network notification.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_disable_wifi_notification" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Disable wifi notification" test_ref="oval:ssg-test_disable_wifi_notification:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_enable_wifi_notification:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_enable_smartcard_auth:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable the GNOME3 Login Smartcard Authentication</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable smartcard authentication in the GNOME3 Login GUI.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_enable_smartcard_auth" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Enable smartcard authentication and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Enable smartcard authentication" test_ref="oval:ssg-test_enable_gnome_smartcard:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_disable_smartcard:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_login_banner_text:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable GUI Warning Banner</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable the GUI warning banner.</ns3:description>
<ns3:reference ref_id="20140902" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_login_banner_text" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Enable GUI banner and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Prevent user from changing banner" test_ref="oval:ssg-test_prevent_user_banner_change:tst:1" />
<ns3:criterion comment="Login banner is correctly set" test_ref="oval:ssg-test_gdm_login_banner_text_setting:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_login_retries:def:1" version="1">
<ns3:metadata>
<ns3:title>Set the GNOME3 Login Number of Failures</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Set the GNOME3 number of login failure attempts.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_login_retries" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Set number of login attempts and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="Set number of login tries" test_ref="oval:ssg-test_configure_allowed_failures:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_allowed-failures_change:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_remote_access_credential_prompt:def:1" version="1">
<ns3:metadata>
<ns3:title>Require Credential Prompting for Remote Access in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Configure GNOME3 to require credential prompting for remote access.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_remote_access_credential_prompt" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="configure remote access credentials" test_ref="oval:ssg-test_configure_remote_access_creds:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_remote_access_creds:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_remote_access_encryption:def:1" version="1">
<ns3:metadata>
<ns3:title>Require Encryption for Remote Access in GNOME3</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Configure GNOME3 to require encryption for remote access connections.</ns3:description>
<ns3:reference ref_id="20160415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_remote_access_encryption" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="configure remote access encryption" test_ref="oval:ssg-test_configure_remote_access_encryption:tst:1" />
<ns3:criterion comment="Prevent user from changing" test_ref="oval:ssg-test_prevent_user_remote_access_encryption:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_screensaver_idle_activation_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable GNOME3 Screensaver Idle Activation</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Idle activation of the screen saver should be enabled.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_screensaver_idle_activation_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="check screensaver idle activation and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="idle activation has been configured" test_ref="oval:ssg-test_screensaver_idle_activation_enabled:tst:1" />
<ns3:criterion comment="prevent user from changing idle delay" test_ref="oval:ssg-test_prevent_user_change_idle_activation_enabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_screensaver_idle_delay:def:1" version="2">
<ns3:metadata>
<ns3:title>Configure the GNOME3 GUI Screen locking</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The allowed period of inactivity before the screensaver is activated.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_screensaver_idle_delay" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="check screensaver idle delay and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="idle delay has been configured" test_ref="oval:ssg-test_screensaver_idle_delay:tst:1" />
<ns3:criterion comment="prevent user from changing idle delay" test_ref="oval:ssg-test_prevent_user_change_idle_delay:tst:1" />
<ns3:criterion comment="idle delay is set correctly" test_ref="oval:ssg-test_screensaver_idle_delay_setting:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_screensaver_lock_enabled:def:1" version="2">
<ns3:metadata>
<ns3:title>Enable GNOME3 Screensaver Lock After Idle Period</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Idle activation of the screen lock should be enabled.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_screensaver_lock_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Enable screensaver lock and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="screensaver lock is enabled" test_ref="oval:ssg-test_screensaver_lock_enabled:tst:1" />
<ns3:criterion comment="screensaver lock prevent user from changing" test_ref="oval:ssg-test_prevent_user_screensaver_lock:tst:1" />
<ns3:criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg-test_screensaver_lock_delay:tst:1" />
<ns3:criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg-test_prevent_user_lock_delay:tst:1" />
<ns3:criterion comment="screensaver lock delay is set correctly" test_ref="oval:ssg-test_screensaver_lock_delay:tst:1" />
<ns3:criterion comment="prevent user from changing screensaver lock delay" test_ref="oval:ssg-test_prevent_user_lock_delay:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_screensaver_mode_blank:def:1" version="2">
<ns3:metadata>
<ns3:title>Implement Blank Screensaver</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The GNOME3 screensaver should be blank.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_screensaver_mode_blank" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Enable blank screensaver and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="screensaver is blank" test_ref="oval:ssg-test_screensaver_mode_blank:tst:1" />
<ns3:criterion comment="screensaver prevent user from changing mode" test_ref="oval:ssg-test_prevent_user_screensaver_mode_change:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dconf_gnome_screensaver_user_info:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Full User Name on Splash Shield</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>GNOME3 screen splash shield should not display full name of logged in user.</ns3:description>
<ns3:reference ref_id="20140415" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dconf_gnome_screensaver_user_info" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="dconf installed" definition_ref="oval:ssg-package_dconf_installed:def:1" negate="true" />
<ns3:criteria comment="Disable screensaver user info and prevent user from changing it" operator="AND">
<ns3:extend_definition comment="dconf user profile exists" definition_ref="oval:ssg-enable_dconf_user_profile:def:1" />
<ns3:criterion comment="screensaver user info is disabled" test_ref="oval:ssg-test_screensaver_disable_user_info:tst:1" />
<ns3:criterion comment="screensaver prevent user from changing" test_ref="oval:ssg-test_prevent_user_info_change:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dir_perms_etc_httpd_conf:def:1" version="2">
<ns3:metadata>
<ns3:title>Directory /etc/httpd/conf/ Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Directory permissions for /etc/httpd/conf/ should be set to 0750 (or stronger).</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dir_perms_etc_httpd_conf" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="httpd not present or in use" definition_ref="oval:ssg-package_httpd_removed:def:1" />
<ns3:criterion test_ref="oval:ssg-test_dir_perms_etc_httpd_conf:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dir_perms_var_log_httpd:def:1" version="2">
<ns3:metadata>
<ns3:title>Directory /var/log/httpd/ Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Directory permissions for /var/log/httpd should be set to 0700 (or stronger).</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="dir_perms_var_log_httpd" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="httpd not present or in use" definition_ref="oval:ssg-package_httpd_removed:def:1" />
<ns3:criterion test_ref="oval:ssg-test_dir_perms_var_log_httpd:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dir_perms_world_writable_sticky_bits:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify that All World-Writable Directories Have Sticky Bits Set</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The sticky bit should be set for all world-writable directories.</ns3:description>
<ns3:reference ref_id="dir_perms_world_writable_sticky_bits" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="all local world writable directories have sticky bit set" negate="true" test_ref="oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dir_perms_world_writable_system_owned:def:1" version="1">
<ns3:metadata>
<ns3:title>Find world writable directories not owned by a system account</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>All world writable directories should be owned by a system user.</ns3:description>
<ns3:reference ref_id="dir_perms_world_writable_system_owned" source="ssg" /></ns3:metadata>
<ns3:criteria comment="check for local directories that are world writable and have uid greater than or equal to 1000" negate="true">
<ns3:criterion comment="check for local directories that are world writable and have uid greater than or equal to 1000" test_ref="oval:ssg-test_dir_world_writable_uid_gt_1000:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-disable_host_auth:def:1" version="2">
<ns3:metadata>
<ns3:title>Disable Host-Based Authentication</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>SSH host-based authentication should be disabled.</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="disable_host_auth" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check HostbasedAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_hostbasedauthentication:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-disable_interactive_boot:def:1" version="3">
<ns3:metadata>
<ns3:title>Verify that Interactive Boot is Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The ability for users to perform interactive startups should
be disabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20160613" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA23_20160613" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="disable_interactive_boot" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Check systemd.confirm_spawn=(1|yes|true|on) not in GRUB_CMDLINE_LINUX" test_ref="oval:ssg-test_disable_interactive_boot_grub_cmdline_linux:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="Check systemd.confirm_spawn=(1|yes|true|on) not in GRUB_CMDLINE_LINUX_DEFAULT" test_ref="oval:ssg-test_disable_interactive_boot_grub_cmdline_linux_default:tst:1" />
<ns3:criterion comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub" test_ref="oval:ssg-test_bootloader_recovery_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-disable_prelink:def:1" version="3">
<ns3:metadata>
<ns3:title>Disable Prelinking</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>The prelinking feature can interfere with the operation of
checksum integrity tools (e.g. AIDE), mitigates the protection provided
by ASLR, and requires additional CPU cycles by software upgrades.
</ns3:description>
<ns3:reference ref_id="RHEL6_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA21_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="disable_prelink" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Conditions for prelinking disabled are satisfied" operator="OR">
<ns3:criteria comment="System is RHEL6 with prelinking disabled" operator="AND">
<ns3:extend_definition comment="Installed OS is RHEL6" definition_ref="oval:ssg-installed_OS_is_rhel6:def:1" />
<ns3:criterion comment="Prelinking is disabled" test_ref="oval:ssg-test_prelinking_disabled:tst:1" />
</ns3:criteria>
<ns3:criteria comment="System is RHEL7 or Fedora and prelink RPM is not installed or prelinking is disabled" operator="AND">
<ns3:criteria comment="System is RHEL7 or Fedora" operator="OR">
<ns3:extend_definition comment="Installed OS is RHEL7" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1" />
<ns3:extend_definition comment="Installed OS is Fedora" definition_ref="oval:ssg-installed_OS_is_fedora:def:1" />
</ns3:criteria>
<ns3:criteria comment="prelink RPM package not installed or prelinking disabled" operator="OR">
<ns3:extend_definition comment="prelink RPM package not installed" definition_ref="oval:ssg-package_prelink_removed:def:1" />
<ns3:criterion comment="Prelinking is disabled" test_ref="oval:ssg-test_prelinking_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-disable_users_coredumps:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Core Dumps</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Core dumps for all users should be disabled</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="disable_users_coredumps" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Are core dumps disabled" test_ref="oval:ssg-test_core_dumps_limitsconf:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-display_login_attempts:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Last Login/Access Notification</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Configure the system to notify users of last login/access using pam_lastlog.</ns3:description>
<ns3:reference ref_id="RHEL7_20150611" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150611" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="display_login_attempts" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Conditions for pam_lastlog are satisfied" test_ref="oval:ssg-test_display_login_attempts:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-enable_dconf_user_profile:def:1" version="1">
<ns3:metadata>
<ns3:title>Implement Local DB for DConf User Profile</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The DConf User profile should have the local DB configured.</ns3:description>
<ns3:reference ref_id="20140824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="enable_dconf_user_profile" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="dconf user profile exists" test_ref="oval:ssg-test_dconf_user_profile:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-enable_selinux_bootloader:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable SELinux in the GRUB2 Bootloader"</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>
Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found.
</ns3:description>
<ns3:reference ref_id="20151030" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="enable_selinux_bootloader" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" test_ref="oval:ssg-test_selinux_default_grub:tst:1" />
<ns3:criterion comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" test_ref="oval:ssg-test_selinux_grub2_cfg:tst:1" />
<ns3:criterion comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found" test_ref="oval:ssg-test_selinux_grub_dir:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_gpgcheck_globally_activated:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure Yum gpgcheck Globally Activated</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="ensure_gpgcheck_globally_activated" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:extend_definition comment="Fedora installed" definition_ref="oval:ssg-installed_OS_is_fedora:def:1" />
<ns3:criterion comment="check value of gpgcheck in /etc/dnf/dnf.conf" test_ref="oval:ssg-test_dnf_ensure_gpgcheck_globally_activated:tst:1" />
</ns3:criteria>
<ns3:criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:ssg-test_yum_ensure_gpgcheck_globally_activated:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_gpgcheck_never_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure gpgcheck Enabled For All Yum or Dnf Package Repositories</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>Ensure all yum or dnf repositories utilize signature checking.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="ensure_gpgcheck_never_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="ensure all yum or dnf repositories utilize signiature checking" operator="AND">
<ns3:criterion comment="verify no gpgpcheck=0 present in /etc/yum.repos.d files" test_ref="oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_logrotate_activated:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure the logrotate utility performs the automatic rotation of log files on daily basis</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Debian 8</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>
The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily
</ns3:description>
<ns3:reference ref_id="20140606" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="ensure_logrotate_activated" source="ssg" /></ns3:metadata>
<ns3:criteria comment="/etc/logrotate.conf contains daily setting or /etc/cron.daily/logrotate file exists" operator="OR">
<ns3:criterion comment="Check if daily is set in /etc/logrotate.conf" test_ref="oval:ssg-test_logrotate_conf_daily_setting:tst:1" />
<ns3:criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" test_ref="oval:ssg-test_cron_daily_logrotate_existence:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_redhat_gpgkey_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Red Hat Release and Auxiliary gpg-pubkey Packages Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The Red Hat release and auxiliary key packages are required to be installed.</ns3:description>
<ns3:reference ref_id="20151006" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ensure_redhat_gpgkey_installed" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Vendor GPG keys" operator="OR">
<ns3:criteria comment="Red Hat Vendor Keys" operator="AND">
<ns3:criteria comment="Red Hat Installed" operator="OR">
<ns3:extend_definition comment="RHEL6 installed" definition_ref="oval:ssg-installed_OS_is_rhel6:def:1" />
<ns3:extend_definition comment="RHEL7 installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1" />
</ns3:criteria>
<ns3:criterion comment="package gpg-pubkey-fd431d51-4ae0493b is installed" test_ref="oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1" />
<ns3:criterion comment="package gpg-pubkey-2fa658e0-45700c69 is installed" test_ref="oval:ssg-test_package_gpgkey-2fa658e0-45700c69_installed:tst:1" />
</ns3:criteria>
<ns3:criteria comment="CentOS Vendor Keys" operator="OR">
<ns3:criteria comment="CentOS Installed" operator="OR">
<ns3:extend_definition comment="CentOS6 installed" definition_ref="oval:ssg-installed_OS_is_centos6:def:1" />
<ns3:extend_definition comment="CentOS7 installed" definition_ref="oval:ssg-installed_OS_is_centos7:def:1" />
</ns3:criteria>
<ns3:criterion comment="package gpg-pubkey-f4a80eb5-53a7ff4b is installed" test_ref="oval:ssg-test_package_gpgkey-f4a80eb5-53a7ff4b_installed:tst:1" />
<ns3:criterion comment="package gpg-pubkey-c105b9de-4e0fd3a3 is installed" test_ref="oval:ssg-test_package_gpgkey-c105b9de-4e0fd3a3_installed:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_group_owner_grub2_cfg:def:1" version="1">
<ns3:metadata>
<ns3:title>File grub.cfg Owned By root Group </ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The grub.cfg file should be owned by the root group. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</ns3:description>
<ns3:reference ref_id="20140909" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_group_owner_grub2_cfg" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion test_ref="oval:ssg-test_file_group_owner_grub2_cfg:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_file_group_owner_efi_grub2_cfg:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_groupowner_etc_group:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify group who owns 'group' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/group file should be owned by the appropriate
group.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="file_groupowner_etc_group" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_groupowner_etc_group:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_groupowner_etc_gshadow:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify group who owns 'gshadow' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/gshadow file should be owned by the appropriate
group.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="file_groupowner_etc_gshadow" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_groupowner_etc_gshadow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_groupowner_etc_passwd:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify group who owns 'passwd' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/passwd file should be owned by the appropriate
group.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="file_groupowner_etc_passwd" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_groupowner_etc_passwd:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_owner_etc_group:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify user who owns 'group' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/group file should be owned by the appropriate
user.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="file_owner_etc_group" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_owner_etc_group:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_owner_etc_gshadow:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify user who owns 'gshadow' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/gshadow file should be owned by the appropriate
user.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="file_owner_etc_gshadow" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_owner_etc_gshadow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_owner_etc_passwd:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify user who owns 'passwd' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/passwd file should be owned by the appropriate
user.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="file_owner_etc_passwd" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_owner_etc_passwd:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_ownership_binary_dirs:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify that System Executables Have Root Ownership</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>CentOS 4</ns3:platform>
<ns3:platform>CentOS 5</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 4</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 5</ns3:platform>
</ns3:affected>
<ns3:description>
Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
/usr/local/sbin, /usr/libexec, and objects therein, are owned by root.
</ns3:description>
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_ownership_binary_dirs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_ownership_binary_directories:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_ownership_binary_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_ownership_library_dirs:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify that Shared Library Files Have Root Ownership</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are owned by root.
</ns3:description>
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_ownership_library_dirs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_ownership_lib_dir:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_ownership_lib_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_ownership_var_log_audit:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify /var/log/audit Ownership</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Checks that all /var/log/audit files and directories are owned by the root user and group.</ns3:description>
<ns3:reference ref_id="RHEL6_20150814" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150814" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150814" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_ownership_var_log_audit" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria comment="directories are root owned" operator="AND">
<ns3:criterion test_ref="oval:ssg-test_ownership_var_log_audit_files:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_ownership_var_log_audit_directories:tst:1" />
</ns3:criteria>
<ns3:criteria comment="log_group in auditd.conf is not root" operator="AND">
<ns3:criterion test_ref="oval:ssg-test_auditd_conf_log_group_root:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_binary_dirs:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify that System Executables Have Restrictive Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>CentOS 4</ns3:platform>
<ns3:platform>CentOS 5</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 4</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 5</ns3:platform>
</ns3:affected>
<ns3:description>
Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
/usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable.
</ns3:description>
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_binary_dirs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_perms_binary_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_etc_group:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify permissions on 'group' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>File permissions for /etc/group should be set
correctly.</ns3:description>
<ns3:reference ref_id="20140403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_etc_group" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_permissions_etc_group:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_etc_gshadow:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify /etc/gshadow Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If
the target file or directory has an extended ACL then it will fail the mode check.</ns3:description>
<ns3:reference ref_id="20130831" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="file_permissions_etc_gshadow" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_etc_gshadow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_etc_passwd:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify /etc/passwd Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>This test makes sure that /etc/passwd is owned by 0, group owned by 0, and has mode 0644 (or stronger). If
the target file or directory has an extended ACL then it will fail the mode check.</ns3:description>
<ns3:reference ref_id="20140403" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_etc_passwd" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_etc_passwd:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_etc_shadow:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify /etc/shadow Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>This test makes sure that /etc/shadow is owned by 0, group owned by 0, and has mode 0000. If
the target file or directory has an extended ACL then it will fail the mode check.</ns3:description>
<ns3:reference ref_id="20130831" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="file_permissions_etc_shadow" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_etc_shadow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_grub2_cfg:def:1" version="1">
<ns3:metadata>
<ns3:title>File grub.cfg Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>File permissions for grub.cfg should be set to 0600 (or stronger). By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</ns3:description>
<ns3:reference ref_id="20140909" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_permissions_grub2_cfg" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion test_ref="oval:ssg-test_file_permissions_grub2_cfg:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_home_dirs:def:1" version="1">
<ns3:metadata>
<ns3:title>Proper Permissions User Home Directories</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>File permissions should be set correctly for the home directories for all user accounts.</ns3:description>
<ns3:reference ref_id="RHEL6_20141106" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20141106" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="Fedora20_20141106" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_home_dirs" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="home directories" negate="true" test_ref="oval:ssg-test_file_permissions_home_dirs:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_httpd_server_conf_files:def:1" version="2">
<ns3:metadata>
<ns3:title>Verify Permissions On Apache Web Server Configuration Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/httpd/conf/* files should have the appropriate permissions (0640 or stronger).</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_permissions_httpd_server_conf_files" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="httpd not present or in use" definition_ref="oval:ssg-package_httpd_removed:def:1" />
<ns3:criterion test_ref="oval:ssg-test_file_permissions_httpd_server_conf_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_library_dirs:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify that Shared Library Files Have Restrictive Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>
Checks that /lib, /lib64, /usr/lib, /usr/lib64, /lib/modules, and
objects therein, are not group-writable or world-writable.
</ns3:description>
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_library_dirs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_perms_lib_dir:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_perms_lib_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_unauthorized_world_writable:def:1" version="1">
<ns3:metadata>
<ns3:title>Find Unauthorized World-Writable Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The world-write permission should be disabled for all files.</ns3:description>
<ns3:reference ref_id="file_permissions_unauthorized_world_writable" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_permissions_unauthorized_world_write:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_ungroupowned:def:1" version="2">
<ns3:metadata>
<ns3:title>Find files unowned by a group</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 4</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 5</ns3:platform>
<ns3:platform>CentOS 4</ns3:platform>
<ns3:platform>CentOS 5</ns3:platform>
</ns3:affected>
<ns3:description>All files should be owned by a group</ns3:description>
<ns3:reference ref_id="file_permissions_ungroupowned" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check all files and make sure they are owned by a group" test_ref="oval:ssg-test_file_permissions_ungroupowned:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_var_log_audit:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify /var/log/audit Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Checks for correct permissions for all log files in /var/log/audit.</ns3:description>
<ns3:reference ref_id="file_permissions_var_log_audit" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion negate="true" test_ref="oval:ssg-test_file_permissions_var_log_audit:tst:1" />
<ns3:criteria comment="log_group in auditd.conf is not root" operator="AND">
<ns3:criterion test_ref="oval:ssg-test_auditd_conf_log_group_root:tst:1" />
<ns3:criterion negate="true" test_ref="oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_user_owner_grub2_cfg:def:1" version="1">
<ns3:metadata>
<ns3:title>File grub.cfg Owned By root User</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The grub.cfg file should be owned by the root user. By default, this file is located at /boot/grub2/grub.cfg or, for EFI systems, at /boot/efi/EFI/redhat/grub.cfg</ns3:description>
<ns3:reference ref_id="20140909" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_user_owner_grub2_cfg" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion test_ref="oval:ssg-test_file_user_owner_grub2_cfg:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_file_user_owner_efi_grub2_cfg:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-firewalld_sshd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disallow inbound firewall access to the SSH Server port</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>If inbound SSH access is not needed, the firewall should disallow or reject access to
the SSH port (22).</ns3:description>
<ns3:reference ref_id="20160215" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="firewalld_sshd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="ssh service is not enabled in services" test_ref="oval:ssg-test_firewalld_service_sshd:tst:1" />
<ns3:criterion comment="ssh port is not enabled in services" test_ref="oval:ssg-test_firewalld_service_sshd_port:tst:1" />
<ns3:criterion comment="ssh service is not enabled in zones" test_ref="oval:ssg-test_firewalld_zone_sshd:tst:1" />
<ns3:criterion comment="ssh port is not enabled in zones" test_ref="oval:ssg-test_firewalld_zone_sshd_port:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ftp_log_transactions:def:1" version="1">
<ns3:metadata>
<ns3:title>Banner for FTP Users</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>To trace malicious activity facilitated by the FTP
service, it must be configured to ensure that all commands sent to
the FTP server are logged using the verbose vsftpd log format.
</ns3:description>
<ns3:reference ref_id="20140812" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ftp_log_transactions" source="ssg" /></ns3:metadata>
<ns3:criteria comment="FTP is not being used or the conditions are met" operator="OR">
<ns3:extend_definition comment="vsftp package is not installed" definition_ref="oval:ssg-package_vsftpd_installed:def:1" negate="true" />
<ns3:criteria comment="FTP configuration conditions are not set or are met" operator="AND">
<ns3:criterion comment="log ftp transactions enable" test_ref="oval:ssg-test_ftp_log_transactions_enable:tst:1" />
<ns3:criterion comment="log ftp transactions format" test_ref="oval:ssg-test_ftp_log_transactions_format:tst:1" />
<ns3:criterion comment="log ftp transactions protocol" test_ref="oval:ssg-test_ftp_log_transactions_protocol:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ftp_present_banner:def:1" version="1">
<ns3:metadata>
<ns3:title>Banner for FTP Users</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>This setting will cause the system greeting banner to be
used for FTP connections as well.</ns3:description>
<ns3:reference ref_id="20140812" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ftp_present_banner" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="vsftpd package is not installed" definition_ref="oval:ssg-package_vsftpd_installed:def:1" negate="true" />
<ns3:criterion comment="Banner for FTP Users" test_ref="oval:ssg-test_ftp_present_banner:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-gid_passwd_group_same:def:1" version="2">
<ns3:metadata>
<ns3:title>All GIDs Are Present In /etc/group</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>CentOS 4</ns3:platform>
<ns3:platform>CentOS 5</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 4</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 5</ns3:platform>
</ns3:affected>
<ns3:description>All GIDs referenced in /etc/passwd must be defined in /etc/group.</ns3:description>
<ns3:reference ref_id="RHEL6_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150911" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="gid_passwd_group_same" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_gid_passwd_group_same:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-gnome_gdm_disable_automatic_login:def:1" version="2">
<ns3:metadata>
<ns3:title>Disable GDM Automatic Login</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME Display Manager (GDM) ability to allow users to
automatically login.</ns3:description>
<ns3:reference ref_id="20160413" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="gnome_gdm_disable_automatic_login" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="gdm installed" definition_ref="oval:ssg-package_gdm_installed:def:1" negate="true" />
<ns3:criterion comment="Disable GDM Automatic Login" test_ref="oval:ssg-test_disable_automatic_login:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-gnome_gdm_disable_guest_login:def:1" version="2">
<ns3:metadata>
<ns3:title>Disable GDM Guest Login</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disable the GNOME Display Manager (GDM) ability to allow guest users
to login.</ns3:description>
<ns3:reference ref_id="20160413" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="gnome_gdm_disable_guest_login" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="gdm installed" definition_ref="oval:ssg-package_gdm_installed:def:1" negate="true" />
<ns3:criterion comment="Disable GDM Guest Login" test_ref="oval:ssg-test_disable_guest_login:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-groupowner_shadow_file:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify group who owns 'shadow' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/shadow file should be owned by the appropriate
group.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="groupowner_shadow_file" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_groupowner_etc_shadow:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-install_antivirus:def:1" version="1">
<ns3:metadata>
<ns3:title>Package Antivirus Installed</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Antivirus software should be installed.</ns3:description>
<ns3:reference ref_id="20140813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="install_antivirus" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Antivirus is not being used or conditions are met">
<ns3:extend_definition comment="McAfee A/V Installed" definition_ref="oval:ssg-install_mcafee_antivirus:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-install_mcafee_antivirus:def:1" version="1">
<ns3:metadata>
<ns3:title>Package McAfeeVSEForLinux Installed</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>McAfee Antivirus software should be installed.</ns3:description>
<ns3:reference ref_id="20140813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="install_mcafee_antivirus" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Antivirus is not being used or conditions are met">
<ns3:criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg-test_linuxshield_install_antivirus:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_centos6:def:1" version="1">
<ns3:metadata>
<ns3:title>CentOS 6</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:centos:centos:6" source="CPE" />
<ns3:description>The operating system installed on the system is
CentOS 6</ns3:description>
<ns3:reference ref_id="CENTOS6_20150707" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MP" />
<ns3:reference ref_id="installed_OS_is_centos6" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criterion comment="CentOS6 is installed" test_ref="oval:ssg-test_centos6:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_centos7:def:1" version="1">
<ns3:metadata>
<ns3:title>CentOS 7</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:centos:centos:7" source="CPE" />
<ns3:description>The operating system installed on the system is
CentOS 7</ns3:description>
<ns3:reference ref_id="CENTOS7_20150707" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MP" />
<ns3:reference ref_id="installed_OS_is_centos7" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criterion comment="CentOS7 is installed" test_ref="oval:ssg-test_centos7:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="2">
<ns3:metadata>
<ns3:title>Installed operating system is Fedora</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:fedoraproject:fedora:22" source="CPE" />
<ns3:reference ref_id="cpe:/o:fedoraproject:fedora:23" source="CPE" />
<ns3:reference ref_id="cpe:/o:fedoraproject:fedora:24" source="CPE" />
<ns3:reference ref_id="cpe:/o:fedoraproject:fedora:25" source="CPE" />
<ns3:description>The operating system installed on the system is Fedora</ns3:description>
<ns3:reference ref_id="RHEL6_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA21_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="installed_OS_is_fedora" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criterion comment="fedora-release RPM package is installed" test_ref="oval:ssg-test_fedora_release_rpm:tst:1" />
<ns3:criterion comment="CPE vendor is 'fedoraproject' and product is 'fedora'" test_ref="oval:ssg-test_fedora_vendor_product:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_rhel6:def:1" version="1">
<ns3:metadata>
<ns3:title>Red Hat Enterprise Linux 6</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:reference ref_id="cpe:/o:redhat:enterprise_linux:6" source="CPE" />
<ns3:description>The operating system installed on the system is
Red Hat Enterprise Linux 6</ns3:description>
<ns3:reference ref_id="RHEL7_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="installed_OS_is_rhel6" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criteria operator="OR">
<ns3:criterion comment="RHEL 6 Workstation is installed" test_ref="oval:ssg-test_rhel_workstation:tst:1" />
<ns3:criterion comment="RHEL 6 Server is installed" test_ref="oval:ssg-test_rhel_server:tst:1" />
<ns3:criterion comment="RHEL 6 Compute Node is installed" test_ref="oval:ssg-test_rhel_computenode:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_rhel7:def:1" version="1">
<ns3:metadata>
<ns3:title>Red Hat Enterprise Linux 7</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE" />
<ns3:description>The operating system installed on the system is
Red Hat Enterprise Linux 7</ns3:description>
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="installed_OS_is_rhel7" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel7_unix_family:tst:1" />
<ns3:criteria operator="OR">
<ns3:criterion comment="RHEL 7 Workstation is installed" test_ref="oval:ssg-test_rhel7_workstation:tst:1" />
<ns3:criterion comment="RHEL 7 Server is installed" test_ref="oval:ssg-test_rhel7_server:tst:1" />
<ns3:criterion comment="RHEL 7 Compute Node is installed" test_ref="oval:ssg-test_rhel7_computenode:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_sl6:def:1" version="1">
<ns3:metadata>
<ns3:title>Scientific Linux 6</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:scientificlinux:scientificlinux:6" source="CPE" />
<ns3:description>The operating system installed on the system is
Scientific Linux 6</ns3:description>
<ns3:reference ref_id="SL6_20150707" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MP" />
<ns3:reference ref_id="installed_OS_is_sl6" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criterion comment="Scientific Linux 6 is installed" test_ref="oval:ssg-test_sl6:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="inventory" id="oval:ssg-installed_OS_is_sl7:def:1" version="1">
<ns3:metadata>
<ns3:title>Scientific Linux 7</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:reference ref_id="cpe:/o:scientificlinux:scientificlinux:6" source="CPE" />
<ns3:description>The operating system installed on the system is
Scientific Linux 7</ns3:description>
<ns3:reference ref_id="SL7_20150707" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MP" />
<ns3:reference ref_id="installed_OS_is_sl7" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1" />
<ns3:criterion comment="Scientific Linux 7 is installed" test_ref="oval:ssg-test_sl7:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_dccp_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable dccp Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module dccp should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_dccp_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module dccp disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_dccp_disabled:tst:1" />
<ns3:criterion comment="kernel module dccp disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_dccp_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module dccp disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_dccp_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module dccp disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_dccp_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module dccp disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_dccp_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_usb-storage_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable usb-storage Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module usb-storage should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_usb-storage_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module usb-storage disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_usb-storage_disabled:tst:1" />
<ns3:criterion comment="kernel module usb-storage disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module usb-storage disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_usb-storage_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module usb-storage disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_usb-storage_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module usb-storage disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_usb-storage_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ldap_client_start_tls:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure LDAP to Use TLS for All Transactions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Require the use of TLS for ldap clients.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ldap_client_start_tls" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="nss-pam-ldapd not present or not in use" definition_ref="oval:ssg-package_nss-pam-ldapd_removed:def:1" />
<ns3:criterion comment="look for ssl start_tls in /etc/nslcd.conf" test_ref="oval:ssg-test_ldap_client_start_tls_ssl:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ldap_client_tls_cacertpath:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure LDAP CA Certificate Path</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Require the use of TLS for ldap clients.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ldap_client_tls_cacertpath" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="nss-pam-ldapd not present or in use" definition_ref="oval:ssg-package_nss-pam-ldapd_removed:def:1" />
<ns3:criterion comment="look for tls_cacertdir in /etc/nslcd.conf" test_ref="oval:ssg-test_ldap_client_tls_cacertdir:tst:1" />
<ns3:criterion comment="look for tls_cacertfile in /etc/nslcd.conf" test_ref="oval:ssg-test_ldap_client_tls_cacertfile:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-logwatch_configured_hostlimit:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure Logwatch HostLimit Configured</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Test if HostLimit line in logwatch.conf is set appropriately.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="logwatch_configured_hostlimit" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Test value of HostLimit" test_ref="oval:ssg-test_logwatch_configured_hostlimit:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-logwatch_configured_splithosts:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure Logwatch SplitHosts Configured</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Check if SplitHosts line in logwatch.conf is set appropriately.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="logwatch_configured_splithosts" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Test value of SplitHosts" test_ref="oval:ssg-test_logwatch_configured_splithosts:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_dev_shm_nodev:def:1" version="1">
<ns3:metadata>
<ns3:title>Add nodev Option to /dev/shm</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Legitimate character and block devices should not exist
within temporary directories like /dev/shm. The nodev mount option should
be specified for /dev/shm.</ns3:description>
<ns3:reference ref_id="20130820" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_dev_shm_nodev" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="nodev on /dev/shm" test_ref="oval:ssg-test_nodev_dev_shm:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_dev_shm_noexec:def:1" version="1">
<ns3:metadata>
<ns3:title>Add noexec Option to /dev/shm</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>It can be dangerous to allow the execution of binaries from
world-writable temporary storage directories such as /dev/shm. The noexec
mount option prevents binaries from being executed out of
/dev/shm.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_dev_shm_noexec" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="noexec on /dev/shm" test_ref="oval:ssg-test_noexec_dev_shm:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_dev_shm_nosuid:def:1" version="1">
<ns3:metadata>
<ns3:title>Add nosuid Option to /dev/shm</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nosuid mount option should be set for temporary storage
partitions such as /dev/shm. The suid/sgid permissions should not be
required in these world-writable directories.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_dev_shm_nosuid" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="nosuid on /dev/shm" test_ref="oval:ssg-test_nosuid_dev_shm:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1" version="1">
<ns3:metadata>
<ns3:title>Add nodev Option to Non-Root Local Partitions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nodev mount option prevents files from being interpreted
as character or block devices. Legitimate character and block devices
should exist in the /dev directory on the root partition or within chroot
jails built for system services. All other locations should not allow
character and block devices.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_nodev_nonroot_local_partitions" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="nodev on local filesystems" negate="true" test_ref="oval:ssg-test_nodev_nonroot_local_partitions:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_nodev_remote_filesystems:def:1" version="1">
<ns3:metadata>
<ns3:title>Mount Remote Filesystems with nodev</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nodev option should be enabled for all NFS mounts in /etc/fstab.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="DS" />
<ns3:reference ref_id="mount_option_nodev_remote_filesystems" source="ssg" /></ns3:metadata>
<ns3:criteria operator="XOR">
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_no_nfs_defined_etc_fstab_nodev:tst:1" />
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_nfs_nodev_etc_fstab:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_nodev_removable_partitions:def:1" version="2">
<ns3:metadata>
<ns3:title>Add nodev Option to Removable Media Partitions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nodev mount option prevents files from being interpreted
as character or block devices. Legitimate character and block devices
should exist in the /dev directory on the root partition or within chroot
jails built for system services. All other locations should not allow
character and block devices.</ns3:description>
<ns3:reference ref_id="RHEL6_20150305" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="mount_option_nodev_removable_partitions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Check if removable partition really exists on the system" test_ref="oval:ssg-test_removable_partition_doesnt_exist:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition value represents CD/DVD drive" test_ref="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'nodev' mount option in /etc/fstab" test_ref="oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'nodev' mount option in runtime configuration" test_ref="oval:ssg-test_nodev_runtime_cd_dvd_drive:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition is using 'nodev' mount option in /etc/fstab" test_ref="oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if removable partition is using 'nodev' mount option in runtime configuration" test_ref="oval:ssg-test_nodev_runtime_not_cd_dvd_drive:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_noexec_removable_partitions:def:1" version="2">
<ns3:metadata>
<ns3:title>Add noexec Option to Removable Media Partitions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The noexec mount option prevents the direct execution of
binaries on the mounted filesystem. Users should not be allowed to
execute binaries that exist on partitions mounted from removable media
(such as a USB key). The noexec option prevents code from being executed
directly from the media itself, and may therefore provide a line of
defense against certain types of worms or malicious code.</ns3:description>
<ns3:reference ref_id="RHEL6_20150305" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="mount_option_noexec_removable_partitions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Check if removable partition really exists on the system" test_ref="oval:ssg-test_removable_partition_doesnt_exist:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition value represents CD/DVD drive" test_ref="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'noexec' mount option in /etc/fstab" test_ref="oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'noexec' mount option in runtime configuration" test_ref="oval:ssg-test_noexec_runtime_cd_dvd_drive:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition is using 'noexec' mount option in /etc/fstab" test_ref="oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if removable partition is using 'noexec' mount option in runtime configuration" test_ref="oval:ssg-test_noexec_runtime_not_cd_dvd_drive:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_nosuid_remote_filesystems:def:1" version="1">
<ns3:metadata>
<ns3:title>Mount Remote Filesystems with nosuid</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nosuid option should be enabled for all NFS mounts in /etc/fstab.</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="DS" />
<ns3:reference ref_id="mount_option_nosuid_remote_filesystems" source="ssg" /></ns3:metadata>
<ns3:criteria operator="XOR">
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_no_nfs_defined_etc_fstab_nosuid:tst:1" />
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_nfs_nosuid_etc_fstab:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_netrc_files:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify No netrc Files Exist</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</ns3:description>
<ns3:reference ref_id="20141114" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="no_netrc_files" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_netrc_files_home:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_nosuid_removable_partitions:def:1" version="2">
<ns3:metadata>
<ns3:title>Add nosuid Option to Removable Media Partitions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nosuid mount option prevents set-user-identifier (suid)
and set-group-identifier (sgid) permissions from taking effect. These
permissions allow users to execute binaries with the same permissions as
the owner and group of the file respectively. Users should not be allowed
to introduce suid and guid files into the system via partitions mounted
from removeable media.</ns3:description>
<ns3:reference ref_id="RHEL6_20150305" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="mount_option_nosuid_removable_partitions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Check if removable partition really exists on the system" test_ref="oval:ssg-test_removable_partition_doesnt_exist:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition value represents CD/DVD drive" test_ref="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'nosuid' mount option in /etc/fstab" test_ref="oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if at least one from CD/DVD drive alternative names is using 'nosuid' mount option in runtime configuration" test_ref="oval:ssg-test_nosuid_runtime_cd_dvd_drive:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="Check if removable partition is using 'nosuid' mount option in /etc/fstab" test_ref="oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1" />
<ns3:criterion comment="Check if removable partition is using 'nosuid' mount option in runtime configuration" test_ref="oval:ssg-test_nosuid_runtime_not_cd_dvd_drive:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_smb_client_signing:def:1" version="1">
<ns3:metadata>
<ns3:title>Require Client SMB Packet Signing, if using
mount.cifs</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Require packet signing of clients who mount
Samba shares using the mount.cifs program (e.g., those who
specify shares in /etc/fstab). To do so, ensure that signing
options (either sec=krb5i or sec=ntlmv2i) are
used.</ns3:description>
<ns3:reference ref_id="mount_option_smb_client_signing" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criteria operator="OR">
<ns3:criterion comment="check for no cifs in /etc/fstab" test_ref="oval:ssg-test_20340111:tst:1" />
<ns3:criterion comment="check for sec=krb5i or sec=ntlmv2i in /etc/fstab" test_ref="oval:ssg-test_20340112:tst:1" />
</ns3:criteria>
<ns3:criteria operator="OR">
<ns3:criterion comment="check for no cifs in /etc/mtab" test_ref="oval:ssg-test_20340113:tst:1" />
<ns3:criterion comment="check for sec=krb5i or sec=ntlmv2i in /etc/mtab" test_ref="oval:ssg-test_20340114:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_tmp_nodev:def:1" version="1">
<ns3:metadata>
<ns3:title>Add nodev Option to /tmp</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Legitimate character and block devices should not exist
within temporary directories like /tmp. The nodev mount option should be
specified for /tmp.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_tmp_nodev" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="nodev on /tmp" test_ref="oval:ssg-test_nodev_tmp:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_tmp_noexec:def:1" version="1">
<ns3:metadata>
<ns3:title>Add noexec Option to /tmp</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>It can be dangerous to allow the execution of binaries from
world-writable temporary storage directories such as /tmp. The noexec
mount option prevents binaries from being executed out of
/tmp.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_tmp_noexec" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="noexec on /tmp" test_ref="oval:ssg-test_noexec_tmp:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_tmp_nosuid:def:1" version="1">
<ns3:metadata>
<ns3:title>Add nosuid Option to /tmp</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The nosuid mount option should be set for temporary storage
partitions such as /tmp. The suid/sgid permissions should not be required
in these world-writable directories.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_tmp_nosuid" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="nosuid on /tmp" test_ref="oval:ssg-test_nosuid_tmp:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_var_tmp_bind:def:1" version="1">
<ns3:metadata>
<ns3:title>Bind Mount /var/tmp To /tmp</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /var/tmp directory should be bind mounted to /tmp in
order to consolidate temporary storage into one location protected by the
same techniques as /tmp.</ns3:description>
<ns3:reference ref_id="20130821" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="mount_option_var_tmp_bind" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Ensure /var/tmp is mounted" test_ref="oval:ssg-test_mount_option_var_tmp:tst:1" />
<ns3:criterion comment="Ensure /tmp is bind mounted" test_ref="oval:ssg-test_mount_option_var_tmp_bind:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_disable_zeroconf:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Zeroconf Networking</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Disable Zeroconf automatic route assignment in the
169.254.0.0 subnet.</ns3:description>
<ns3:reference ref_id="20130813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="network_disable_zeroconf" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Look for NOZEROCONF=yes in /etc/sysconfig/network" test_ref="oval:ssg-test_sysconfig_nozeroconf_yes:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_ipv6_default_gateway:def:1" version="1">
<ns3:metadata>
<ns3:title>Manually Assign IPv6 Router Address</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Define default gateways for IPv6 traffic</ns3:description>
<ns3:reference ref_id="network_ipv6_default_gateway" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="IPv6 disabled or..." definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criterion comment="Define default gateways" test_ref="oval:ssg-test_network_ipv6_default_gateway:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_ipv6_disable_rpc:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Support for RPC IPv6</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Disable ipv6 based rpc services</ns3:description>
<ns3:reference ref_id="network_ipv6_disable_rpc" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Disable udp6" test_ref="oval:ssg-test_network_ipv6_disable_rpc_udp6:tst:1" />
<ns3:criterion comment="Disable tcp6" test_ref="oval:ssg-test_network_ipv6_disable_rpc_tcp6:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_ipv6_privacy_extensions:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable Privacy Extensions for IPv6</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable privacy extensions for IPv6</ns3:description>
<ns3:reference ref_id="network_ipv6_privacy_extensions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="IPv6 disabled or..." definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criterion comment="Enable privacy extensions per interface" test_ref="oval:ssg-test_network_ipv6_privacy_extensions:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_ipv6_static_address:def:1" version="1">
<ns3:metadata>
<ns3:title>Manually Assign Global IPv6 Address</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Manually configure addresses for IPv6</ns3:description>
<ns3:reference ref_id="network_ipv6_static_address" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="IPv6 disabled or..." definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criterion comment="Set static IPv6 address on each interface" test_ref="oval:ssg-test_network_ipv6_static_address:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_sniffer_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable the network sniffer</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Disable the network sniffer</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="network_sniffer_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="promisc interfaces" negate="true" test_ref="oval:ssg-test_promisc_interfaces:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_direct_root_logins:def:1" version="1">
<ns3:metadata>
<ns3:title>Direct root Logins Not Allowed</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Preventing direct root logins help ensure accountability for actions
taken on the system using the root account.</ns3:description>
<ns3:reference ref_id="20151030" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="no_direct_root_logins" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="serial ports /etc/securetty" test_ref="oval:ssg-test_no_direct_root_logins:tst:1" />
<ns3:criterion comment="serial ports /etc/securetty" test_ref="oval:ssg-test_etc_securetty_exists:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_empty_passwords:def:1" version="1">
<ns3:metadata>
<ns3:title>No nullok Option in /etc/pam.d/system-auth</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The file /etc/pam.d/system-auth should not contain the nullok option</ns3:description>
<ns3:reference ref_id="20130918" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="no_empty_passwords" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg-test_no_empty_passwords:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_files_unowned_by_user:def:1" version="1">
<ns3:metadata>
<ns3:title>Find files unowned by a user</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>All files should be owned by a user</ns3:description>
<ns3:reference ref_id="20131218" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="rmercer" />
<ns3:reference ref_id="no_files_unowned_by_user" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check all files and make sure they are owned by a user" test_ref="oval:ssg-no_files_unowned_by_user_test:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_insecure_locks_exports:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure insecure_locks is disabled</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Allowing insecure file locking could allow for sensitive
data to be viewed or edited by an unauthorized user.</ns3:description>
<ns3:reference ref_id="20140813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="no_insecure_locks_exports" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check for insecure NFS locks in /etc/exports" test_ref="oval:ssg-test_no_insecure_locks_exports:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_rsh_trust_files:def:1" version="1">
<ns3:metadata>
<ns3:title>No Legacy .rhosts Or hosts.equiv Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>There should not be any .rhosts or hosts.equiv files on the system.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="no_rsh_trust_files" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_rsh_trust_files_root:tst:1" />
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_rsh_trust_files_home:tst:1" />
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_rsh_trust_files_etc:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-no_shelllogin_for_systemaccounts:def:1" version="2">
<ns3:metadata>
<ns3:title>System Accounts Do Not Run a Shell</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The root account is the only system account that should have
a login shell.</ns3:description>
<ns3:reference ref_id="RHEL6_20160621" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20160621" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA23_20160621" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="no_shelllogin_for_systemaccounts" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria operator="AND">
<ns3:criterion comment="Test SYS_UID_MIN not defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_min_not_defined:tst:1" />
<ns3:criterion comment="Test SYS_UID_MAX not defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_max_not_defined:tst:1" />
<ns3:criterion comment="Test shell defined for UID from &lt;0, UID_MIN -1&gt;" test_ref="oval:ssg-test_shell_defined_default_uid_range:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:criterion comment="Test SYS_UID_MIN defined in /etc/login.defs" negate="true" test_ref="oval:ssg-test_sys_uid_min_not_defined:tst:1" />
<ns3:criterion comment="Test SYS_UID_MAX defined in /etc/login.defs" negate="true" test_ref="oval:ssg-test_sys_uid_max_not_defined:tst:1" />
<ns3:criterion comment="Test shell defined for reserved system UIDs" test_ref="oval:ssg-test_shell_defined_reserved_uid_range:tst:1" />
<ns3:criterion comment="Test shell defined for dynamically allocated system UIDs" test_ref="oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_aide_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package aide Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package aide should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_aide_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package aide is installed" test_ref="oval:ssg-test_package_aide_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_audit_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package audit Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package audit should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_audit_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package audit is installed" test_ref="oval:ssg-test_package_audit_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_bind_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package bind Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package bind should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_bind_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package bind is removed" test_ref="oval:ssg-test_package_bind_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_dconf_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package dconf Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package dconf should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_dconf_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package dconf is installed" test_ref="oval:ssg-test_package_dconf_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_dhcp_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package dhcp Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package dhcp should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_dhcp_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package dhcp is removed" test_ref="oval:ssg-test_package_dhcp_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_dovecot_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package dovecot Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package dovecot should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_dovecot_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package dovecot is removed" test_ref="oval:ssg-test_package_dovecot_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_dracut-fips_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package dracut-fips Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package dracut-fips should be installed.</ns3:description>
<ns3:reference ref_id="20160608" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_dracut-fips_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package dracut-fips is installed" test_ref="oval:ssg-test_package_dracut-fips_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_gdm_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package gdm Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package gdm should be installed.</ns3:description>
<ns3:reference ref_id="20160413" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_gdm_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package gdm is installed" test_ref="oval:ssg-test_package_gdm_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_httpd_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package httpd Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package httpd should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_httpd_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package httpd is removed" test_ref="oval:ssg-test_package_httpd_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_libreswan_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package libreswan Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package libreswan should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_libreswan_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package libreswan is installed" test_ref="oval:ssg-test_package_libreswan_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_mcstrans_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package mcstrans Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package mcstrans should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_mcstrans_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package mcstrans is removed" test_ref="oval:ssg-test_package_mcstrans_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_net-snmp_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package net-snmp Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package net-snmp should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_net-snmp_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package net-snmp is removed" test_ref="oval:ssg-test_package_net-snmp_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_nss-pam-ldapd_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package nss-pam-ldapd Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package nss-pam-ldapd should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_nss-pam-ldapd_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package nss-pam-ldapd is removed" test_ref="oval:ssg-test_package_nss-pam-ldapd_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_ntp_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package ntp Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package ntp should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_ntp_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package ntp is installed" test_ref="oval:ssg-test_package_ntp_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_openldap-servers_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package openldap-servers Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package openldap-servers should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_openldap-servers_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package openldap-servers is removed" test_ref="oval:ssg-test_package_openldap-servers_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_openssh-server_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package openssh-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package openssh-server should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_openssh-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package openssh-server is removed" test_ref="oval:ssg-test_package_openssh-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_prelink_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package prelink Removed</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The RPM package prelink should be removed.</ns3:description>
<ns3:reference ref_id="RHEL6_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA21_20150624" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_prelink_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package prelink is removed" test_ref="oval:ssg-test_package_prelink_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_rsh-server_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package rsh-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package rsh-server should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_rsh-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package rsh-server is removed" test_ref="oval:ssg-test_package_rsh-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_rsh_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package rsh Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package rsh should be removed.</ns3:description>
<ns3:reference ref_id="20140530" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_rsh_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package rsh is removed" test_ref="oval:ssg-test_package_rsh_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_rsyslog_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package rsyslog Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package rsyslog should be installed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_rsyslog_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package rsyslog is installed" test_ref="oval:ssg-test_package_rsyslog_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_samba-common_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package samba-common Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package samba-common should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_samba-common_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package samba-common is removed" test_ref="oval:ssg-test_package_samba-common_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_screen_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package screen Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package screen should be installed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_screen_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package screen is installed" test_ref="oval:ssg-test_package_screen_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_sendmail_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package sendmail Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package sendmail should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_sendmail_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package sendmail is removed" test_ref="oval:ssg-test_package_sendmail_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_setroubleshoot_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package setroubleshoot Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package setroubleshoot should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_setroubleshoot_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package setroubleshoot is removed" test_ref="oval:ssg-test_package_setroubleshoot_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_squid_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package squid Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package squid should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_squid_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package squid is removed" test_ref="oval:ssg-test_package_squid_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_talk-server_removed:def:1" version="2">
<ns3:metadata>
<ns3:title>Package talk-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package talk-server should be removed.</ns3:description>
<ns3:reference ref_id="RHEL6_20140625" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140625" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_talk-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package talk-server is removed" test_ref="oval:ssg-test_package_talk-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_talk_removed:def:1" version="2">
<ns3:metadata>
<ns3:title>Package talk Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package talk should be removed.</ns3:description>
<ns3:reference ref_id="RHEL6_20140625" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140625" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_talk_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package talk is removed" test_ref="oval:ssg-test_package_talk_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_telnet-server_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package telnet-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package telnet-server should be removed.</ns3:description>
<ns3:reference ref_id="20140915" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_telnet-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package telnet-server is removed" test_ref="oval:ssg-test_package_telnet-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_telnet_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package telnet Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package telnet should be removed.</ns3:description>
<ns3:reference ref_id="20140915" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_telnet_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package telnet is removed" test_ref="oval:ssg-test_package_telnet_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_tftp-server_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package tftp-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package tftp-server should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_tftp-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package tftp-server is removed" test_ref="oval:ssg-test_package_tftp-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_tftp_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package tftp Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package tftp should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_tftp_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package tftp is removed" test_ref="oval:ssg-test_package_tftp_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_vsftpd_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package vsftpd Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package vsftpd should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_vsftpd_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package vsftpd is installed" test_ref="oval:ssg-test_package_vsftpd_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_vsftpd_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package vsftpd Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package vsftpd should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_vsftpd_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package vsftpd is removed" test_ref="oval:ssg-test_package_vsftpd_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_xinetd_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package xinetd Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package xinetd should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_xinetd_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package xinetd is removed" test_ref="oval:ssg-test_package_xinetd_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_xorg-x11-server-common_removed:def:1" version="2">
<ns3:metadata>
<ns3:title>Package xorg-x11-server-common Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package xorg-x11-server-common should be removed.</ns3:description>
<ns3:reference ref_id="RHEL6_20151202" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="RHEL7_20151202" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_xorg-x11-server-common_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package xorg-x11-server-common is removed" test_ref="oval:ssg-test_package_xorg-x11-server-common_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_ypbind_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package ypbind Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package ypbind should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_ypbind_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package ypbind is removed" test_ref="oval:ssg-test_package_ypbind_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_ypserv_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package ypserv Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package ypserv should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_ypserv_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package ypserv is removed" test_ref="oval:ssg-test_package_ypserv_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-partition_for_home:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure /home Located On Separate Partition</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>If user home directories will be stored locally, create a
separate partition for /home. If /home will be mounted from another
system such as an NFS server, then creating a separate partition is not
necessary at this time, and the mountpoint can instead be configured
later.</ns3:description>
<ns3:reference ref_id="20130830" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="partition_for_home" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/home on own partition" test_ref="oval:ssg-test_home_partition:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-partition_for_tmp:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure /tmp Located On Separate Partition</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /tmp directory is a world-writable directory used for
temporary file storage. Verify that it has its own partition or logical
volume.</ns3:description>
<ns3:reference ref_id="20130830" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="partition_for_tmp" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/tmp on own partition" test_ref="oval:ssg-test_tmp_partition:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-partition_for_var:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure /var Located On Separate Partition</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Ensuring that /var is mounted on its own partition enables
the setting of more restrictive mount options, which is used as temporary
storage by many program, particularly system services such as daemons. It
is not uncommon for the /var directory to contain world-writable
directories, installed by other software packages.</ns3:description>
<ns3:reference ref_id="20130830" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="partition_for_var" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/var on own partition" test_ref="oval:ssg-test_var_partition:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-partition_for_var_log:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure /var/log Located On Separate Partition</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>System logs are stored in the /var/log directory. Ensure
that it has its own partition or logical volume.</ns3:description>
<ns3:reference ref_id="20130830" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="partition_for_var_log" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/var/log on own partition" test_ref="oval:ssg-test_var_log_partition:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-partition_for_var_log_audit:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure /var/log/audit Located On Separate Partition</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Audit logs are stored in the /var/log/audit directory.
Ensure that it has its own partition or logical volume. Make absolutely
certain that it is large enough to store all audit logs that will be
created by the auditing daemon.</ns3:description>
<ns3:reference ref_id="20130830" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="partition_for_var_log_audit" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="/var/log/audit on own partition" test_ref="oval:ssg-test_var_log_audit_partition:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-postfix_server_banner:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure Postfix Against Unnecessary Release of Information</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Protect against unnecessary release of information.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="postfix_server_banner" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Limit release of information" test_ref="oval:ssg-test_postfix_server_banner:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-require_singleuser_auth:def:1" version="1">
<ns3:metadata>
<ns3:title>Require Authentication for Single-User Mode</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The requirement for a password to boot into single-user mode
should be configured correctly.</ns3:description>
<ns3:reference ref_id="20140926" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="require_singleuser_auth" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="Conditions are satisfied" test_ref="oval:ssg-test_require_rescue_service:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_require_rescue_service_runlevel1:tst:1" />
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_custom_runlevel1_target:tst:1" />
<ns3:criterion negate="true" test_ref="oval:ssg-test_no_custom_rescue_service:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-require_smb_client_signing:def:1" version="1">
<ns3:metadata>
<ns3:title>Require Client SMB Packet Signing in smb.conf</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Require samba clients which use smb.conf, such as smbclient,
to use packet signing. A Samba client should only communicate with
servers who can support SMB packet signing.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="require_smb_client_signing" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="package samba-common is not installed" definition_ref="oval:ssg-package_samba-common_removed:def:1" />
<ns3:criterion comment="check for client signing = mandatory in /etc/samba/smb.conf" test_ref="oval:ssg-test_require_smb_client_signing:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-restrict_serial_port_logins:def:1" version="1">
<ns3:metadata>
<ns3:title>Restrict Serial Port Root Logins</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Preventing direct root login to serial port interfaces helps
ensure accountability for actions taken on the system using the root
account.</ns3:description>
<ns3:reference ref_id="20141114" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="restrict_serial_port_logins" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="serial ports /etc/securetty" negate="true" test_ref="oval:ssg-test_serial_ports_etc_securetty:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-root_path_no_dot:def:1" version="2">
<ns3:metadata>
<ns3:title>Ensure that No Dangerous Directories Exist in Root's Path</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The environment variable PATH should be set correctly for
the root user.</ns3:description>
<ns3:reference ref_id="20140522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="root_path_no_dot" source="ssg" /></ns3:metadata>
<ns3:criteria comment="environment variable PATH contains dangerous path" operator="AND">
<ns3:criterion comment="environment variable PATH starts with : or ." test_ref="oval:ssg-test_env_var_begins:tst:1" />
<ns3:criterion comment="environment variable PATH contains : twice in a row" test_ref="oval:ssg-test_env_var_contains_doublecolon:tst:1" />
<ns3:criterion comment="environment variable PATH contains . twice in a row" test_ref="oval:ssg-test_env_var_contains_doubleperiod:tst:1" />
<ns3:criterion comment="environment variable PATH ends with : or ." test_ref="oval:ssg-test_env_var_ends:tst:1" />
<ns3:criterion comment="environment variable PATH doesn't begin with a /" test_ref="oval:ssg-test_env_var_begins_slash:tst:1" />
<ns3:criterion comment="environment variable PATH doesn't contain relative paths" test_ref="oval:ssg-test_env_var_contains_relative_path:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rpm_verify_hashes:def:1" version="3">
<ns3:metadata>
<ns3:title>Verify File Hashes with RPM</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
</ns3:affected>
<ns3:description>Verify the RPM digests of system binaries using the RPM database.</ns3:description>
<ns3:reference ref_id="RHEL6_20150818" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150818" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150818" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="rpm_verify_hashes" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="verify file md5 hashes" test_ref="oval:ssg-test_files_fail_md5_hash:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rpm_verify_permissions:def:1" version="3">
<ns3:metadata>
<ns3:title>Verify File Ownership And Permissions Using RPM</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Verify the integrity of installed packages
by comparing the installed files with information about the
files taken from the package metadata stored in the RPM
database.</ns3:description>
<ns3:reference ref_id="RHEL6_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150817" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="rpm_verify_permissions" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="user ownership of all files matches local rpm database" test_ref="oval:ssg-test_verify_all_rpms_user_ownership:tst:1" />
<ns3:criterion comment="group ownership of all files matches local rpm database" test_ref="oval:ssg-test_verify_all_rpms_group_ownership:tst:1" />
<ns3:criterion comment="mode of all files matches local rpm database" test_ref="oval:ssg-test_verify_all_rpms_mode:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rsyslog_nolisten:def:1" version="2">
<ns3:metadata>
<ns3:title>Disable Rsyslogd from Accepting Remote Messages on Loghosts
Only</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>rsyslogd should reject remote messages</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="rsyslog_nolisten" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Conditions are satisfied" test_ref="oval:ssg-test_rsyslog_nolisten:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rsyslog_remote_loghost:def:1" version="1">
<ns3:metadata>
<ns3:title>Send Logs to a Remote Loghost</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Debian 8</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Syslog logs should be sent to a remote loghost</ns3:description>
<ns3:reference ref_id="20151105" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="rsyslog_remote_loghost" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Remote logging set within /etc/rsyslog.conf" test_ref="oval:ssg-test_remote_rsyslog_conf:tst:1" />
<ns3:criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="oval:ssg-test_remote_rsyslog_d:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-securetty_root_login_console_only:def:1" version="1">
<ns3:metadata>
<ns3:title>Restrict Virtual Console Root Logins</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Preventing direct root login to virtual console devices
helps ensure accountability for actions taken on the system using the
root account.</ns3:description>
<ns3:reference ref_id="20141114" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="securetty_root_login_console_only" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg-test_virtual_consoles_etc_securetty:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-selinux_all_devicefiles_labeled:def:1" version="1">
<ns3:metadata>
<ns3:title>Device Files Have Proper SELinux Context</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>All device files in /dev should be assigned an SELinux security context other than 'device_t'.</ns3:description>
<ns3:reference ref_id="selinux_all_devicefiles_labeled" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="device_t in /dev" test_ref="oval:ssg-test_selinux_all_devicefiles_labeled:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-selinux_confinement_of_daemons:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure No Daemons are Unconfined by SELinux</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>All pids in /proc should be assigned an SELinux security context other than 'initrc_t'.</ns3:description>
<ns3:reference ref_id="selinux_confinement_of_daemons" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="device_t in /dev" test_ref="oval:ssg-test_selinux_confinement_of_daemons:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-selinux_policytype:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable SELinux</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The SELinux policy should be set appropriately.</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="selinux_policytype" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_selinux_policy:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-selinux_state:def:1" version="1">
<ns3:metadata>
<ns3:title>SELinux Enforcing</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The SELinux state should be enforcing the local policy.</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="selinux_state" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="enforce is disabled" test_ref="oval:ssg-test_etc_selinux_config:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-set_firewalld_default_zone:def:1" version="2">
<ns3:metadata>
<ns3:title>Change the default firewalld zone to drop</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Change the default firewalld zone to drop.</ns3:description>
<ns3:reference ref_id="20150122" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="set_firewalld_default_zone" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Set default zone to drop" test_ref="oval:ssg-test_firewalld_input_drop:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-set_password_hashing_algorithm_libuserconf:def:1" version="1">
<ns3:metadata>
<ns3:title>Set SHA512 Password Hashing Algorithm in /etc/libuser.conf</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The password hashing algorithm should be set correctly in /etc/libuser.conf.</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="set_password_hashing_algorithm_libuserconf" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_etc_libuser_conf_cryptstyle:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-set_password_hashing_algorithm_logindefs:def:1" version="2">
<ns3:metadata>
<ns3:title>Set SHA512 Password Hashing Algorithm in /etc/login.defs</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The password hashing algorithm should be set correctly in /etc/login.defs.</ns3:description>
<ns3:reference ref_id="RHEL6_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA20_20150201" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="set_password_hashing_algorithm_logindefs" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_etc_login_defs_encrypt_method:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-set_password_hashing_algorithm_systemauth:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Password Hashing Algorithm in /etc/pam.d/system-auth</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The password hashing algorithm should be set correctly in /etc/pam.d/system-auth.</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="set_password_hashing_algorithm_systemauth" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_pam_unix_sha512:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-snmpd_not_default_password:def:1" version="2">
<ns3:metadata>
<ns3:title>SNMP default communities disabled</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>SNMP default communities must be removed.</ns3:description>
<ns3:reference ref_id="20140813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="snmpd_not_default_password" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="SMNP installed" definition_ref="oval:ssg-package_net-snmp_removed:def:1" />
<ns3:criterion comment="SNMP communities" test_ref="oval:ssg-test_snmp_default_communities:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-snmpd_use_newer_protocol:def:1" version="2">
<ns3:metadata>
<ns3:title>SNMP use newer protocols</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>SNMP version 1 and 2c must not be enabled.</ns3:description>
<ns3:reference ref_id="20140813" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="snmpd_use_newer_protocol" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="SMNP installed" definition_ref="oval:ssg-package_net-snmp_removed:def:1" />
<ns3:criterion comment="SNMP protocols" test_ref="oval:ssg-test_snmp_versions:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_allow_only_protocol2:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure Only Protocol 2 Connections Allowed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Debian 8</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The OpenSSH daemon should be running protocol 2.</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_allow_only_protocol2" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1" />
<ns3:criterion comment="Check Protocol in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_allow_only_protocol2:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_empty_passwords:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Empty Passwords</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Remote connections from accounts with empty passwords should
be disabled (and dependencies are met)</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_disable_empty_passwords" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check PermitEmptyPasswords in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg-test_sshd_permitemptypasswords_no:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_rhosts:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable .rhosts Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Emulation of the rsh command through the ssh server should
be disabled (and dependencies are met)</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_disable_rhosts" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check IgnoreRhosts in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_rsh_emulation_disabled:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_root_login:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable root Login via SSH</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>Root login via SSH should be disabled (and dependencies are
met)</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_disable_root_login" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check PermitRootLogin in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg-test_sshd_permitrootlogin_no:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_do_not_permit_user_env:def:1" version="1">
<ns3:metadata>
<ns3:title>Do Not Allow Users to Set Environment Options</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>PermitUserEnvironment should be disabled</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_do_not_permit_user_env" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check PermitUserEnvironment in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg-test_sshd_no_user_envset:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_enable_warning_banner:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable a Warning Banner</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>SSH warning banner should be enabled (and dependencies are
met)</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_enable_warning_banner" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check Banner in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_banner_set:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_set_idle_timeout:def:1" version="1">
<ns3:metadata>
<ns3:title>Set OpenSSH Idle Timeout Interval</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The SSH idle timeout interval should be set to an
appropriate value.</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_set_idle_timeout" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_idle_timeout:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_set_keepalive:def:1" version="1">
<ns3:metadata>
<ns3:title>Set ClientAliveCountMax for User Logins</ns3:title>
<ns3:affected family="unix">
</ns3:affected>
<ns3:description>The SSH ClientAliveCountMax should be set to an appropriate
value (and dependencies are met)</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_set_keepalive" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_clientalivecountmax:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_use_approved_ciphers:def:1" version="1">
<ns3:metadata>
<ns3:title>Use Only Approved Ciphers</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Limit the ciphers to those which are FIPS-approved and only
use ciphers in counter (CTR) mode.</ns3:description>
<ns3:reference ref_id="20140414" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sshd_use_approved_ciphers" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_use_approved_ciphers:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_use_approved_macs:def:1" version="1">
<ns3:metadata>
<ns3:title>Use Only FIPS MACs</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Limit the Message Authentication Codes (MACs) to those which are FIPS-approved.</ns3:description>
<ns3:reference ref_id="20150718" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="PCA" />
<ns3:reference ref_id="sshd_use_approved_macs" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check MACs in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_use_approved_macs:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysconfig_networking_bootproto_ifcfg:def:1" version="2">
<ns3:metadata>
<ns3:title>Disable DHCP Client</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>DHCP configuration should be static for all
interfaces.</ns3:description>
<ns3:reference ref_id="20140530" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="sysconfig_networking_bootproto_ifcfg" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Test for BOOTPROTO=(static|none) across all interfaces">
<ns3:criterion test_ref="oval:ssg-test_sysconfig_networking_bootproto_ifcfg:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_kernel_dmesg_restrict:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.dmesg_restrict" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The "kernel.dmesg_restrict" kernel parameter should be set to "1" in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20151029" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sysctl_kernel_dmesg_restrict" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="kernel.dmesg_restrict configuration setting check" definition_ref="oval:ssg-sysctl_static_kernel_dmesg_restrict:def:1" />
<ns3:extend_definition comment="kernel.dmesg_restrict runtime setting check" definition_ref="oval:ssg-sysctl_runtime_kernel_dmesg_restrict:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_kernel_exec_shield:def:1" version="2">
<ns3:metadata>
<ns3:title>Kernel Runtime Parameter "kernel.exec-shield" Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel runtime parameter "kernel.exec-shield" should not be disabled and set to 1 on 32-bit systems.</ns3:description>
<ns3:reference ref_id="201410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sysctl_kernel_exec_shield" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria comment="system is RHEL6" operator="AND">
<ns3:extend_definition comment="RHEL6 installed" definition_ref="oval:ssg-installed_OS_is_rhel6:def:1" />
<ns3:criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1" />
<ns3:criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="32-bit system" definition_ref="oval:ssg-system_info_architecture_x86:def:1" />
<ns3:criterion comment="kernel runtime parameter kernel.exec-shield set to 1" test_ref="oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1" />
<ns3:criterion comment="kernel /etc/sysctl.conf parameter kernel.exec-shield set to 1" test_ref="oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1" />
</ns3:criteria>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" />
<ns3:criterion comment="NX is supported and is not disabled" test_ref="oval:ssg-test_nx_disabled_grub:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_kernel_ipv6_disable:def:1" version="2">
<ns3:metadata>
<ns3:title>Kernel Runtime Parameter IPv6 Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Disables IPv6 for all network interfaces.</ns3:description>
<ns3:reference ref_id="20141015" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sysctl_kernel_ipv6_disable" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_all_disable_ipv6:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_all_disable_ipv6:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-umask_for_daemons:def:1" version="1">
<ns3:metadata>
<ns3:title>Set Daemon umask</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The daemon umask should be set as appropriate</ns3:description>
<ns3:reference ref_id="RHEL6_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="umask_for_daemons" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-tst_umask_for_daemons:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_kernel_randomize_va_space:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.randomize_va_space" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "kernel.randomize_va_space" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_kernel_randomize_va_space" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="kernel.randomize_va_space configuration setting check" definition_ref="oval:ssg-sysctl_static_kernel_randomize_va_space:def:1" />
<ns3:extend_definition comment="kernel.randomize_va_space runtime setting check" definition_ref="oval:ssg-sysctl_runtime_kernel_randomize_va_space:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_kernel_dmesg_restrict:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.dmesg_restrict" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "kernel.dmesg_restrict" parameter should be set to "1" in system runtime.</ns3:description>
<ns3:reference ref_id="20151029" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sysctl_runtime_kernel_dmesg_restrict" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter kernel.dmesg_restrict set to 1" test_ref="oval:ssg-test_runtime_kernel_dmesg_restrict:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_kernel_randomize_va_space:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.randomize_va_space" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "kernel.randomize_va_space" parameter should be set to "2" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_kernel_randomize_va_space" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter kernel.randomize_va_space set to 2" test_ref="oval:ssg-test_runtime_sysctl_kernel_randomize_va_space:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_all_disable_ipv6:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_all_disable_ipv6" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_kernel_dmesg_restrict:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.dmesg_restrict" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "kernel.dmesg_restrict" parameter should be set to "1" in the system configuration.</ns3:description>
<ns3:reference ref_id="20151029" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sysctl_static_kernel_dmesg_restrict" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Kernel static parameter kernel.dmesg_restrict set to 1 in /etc/sysctl.d/*" test_ref="oval:ssg-test_static_sysctld_kernel_dmesg_restrict:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="Kernel static paramater kernel.dmesg_restrict set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_etc_sysctl_kernel_dmesg_restrict:tst:1" />
<ns3:criterion comment="Kernel static parameter kernel.dmesg_restrict not present in some /etc/sysctl.d/* file" test_ref="oval:ssg-test_static_sysctld_kernel_dmesg_restrict_not_used:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_kernel_randomize_va_space:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "kernel.randomize_va_space" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "kernel.randomize_va_space" parameter should be set to "2" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_kernel_randomize_va_space" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1" />
<ns3:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1" />
<ns3:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1" />
<ns3:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_all_disable_ipv6:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.disable_ipv6" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.disable_ipv6" parameter should be set to "1" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_all_disable_ipv6" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-system_info_architecture_64bit:def:1" version="1">
<ns3:metadata>
<ns3:title>Test for 64-bit Architecture</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Generic test for 64-bit architectures to be used by other tests</ns3:description>
<ns3:reference ref_id="20160527" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="system_info_architecture_64bit" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="Generic test for x86_64 architecture" definition_ref="oval:ssg-system_info_architecture_x86_64:def:1" />
<ns3:extend_definition comment="Generic test for ppc64 architecture" definition_ref="oval:ssg-system_info_architecture_ppc_64:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-system_info_architecture_ppc_64:def:1" version="1">
<ns3:metadata>
<ns3:title>Test for PPC and PPCLE Architecture</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Generic test for PPC PPC64LE architecture to be used by other tests</ns3:description>
<ns3:reference ref_id="20160527" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="system_info_architecture_ppc_64" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Generic test for ppc64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppc_64:tst:1" />
<ns3:criterion comment="Generic test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-system_info_architecture_x86:def:1" version="1">
<ns3:metadata>
<ns3:title>Test for x86 Architecture</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Generic test for x86 architecture to be used by other tests</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="system_info_architecture_x86" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Generic test for x86 architecture" test_ref="oval:ssg-test_system_info_architecture_x86:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-system_info_architecture_x86_64:def:1" version="1">
<ns3:metadata>
<ns3:title>Test for x86_64 Architecture</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>Generic test for x86_64 architecture to be used by other tests</ns3:description>
<ns3:reference ref_id="20130819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="FEDORA20_20150522" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="system_info_architecture_x86_64" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg-test_system_info_architecture_x86_64:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-tftpd_uses_secure_mode:def:1" version="1">
<ns3:metadata>
<ns3:title>TFTP Daemon Uses Secure Mode</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The TFTP daemon should use secure mode.</ns3:description>
<ns3:reference ref_id="20160120" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="tftpd_uses_secure_mode" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package tftp-server removed or /etc/xinetd.d/tftp configured correctly" operator="OR">
<ns3:extend_definition comment="rpm package tftp-server removed" definition_ref="oval:ssg-package_tftp-server_removed:def:1" />
<ns3:criterion comment="tftpd secure mode" test_ref="oval:ssg-test_tftpd_uses_secure_mode:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-userowner_shadow_file:def:1" version="1">
<ns3:metadata>
<ns3:title>Verify user who owns 'shadow' file</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The /etc/shadow file should be owned by the
appropriate user.</ns3:description>
<ns3:reference ref_id="20130807" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="MED" />
<ns3:reference ref_id="userowner_shadow_file" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check file ownership of /etc/shadow" test_ref="oval:ssg-test_userowner_shadow_file:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-wireless_disable_interfaces:def:1" version="1">
<ns3:metadata>
<ns3:title>Deactivate Wireless Interfaces</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>All wireless interfaces should be disabled.</ns3:description>
<ns3:reference ref_id="wireless_disable_interfaces" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="query /proc/net/wireless" test_ref="oval:ssg-test_wireless_disable_interfaces:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_logon_fail_delay:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure that FAIL_DELAY is Configured in /etc/login.defs</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The delay between failed authentication attempts should be
set for all users specified in /etc/login.defs</ns3:description>
<ns3:reference ref_id="20160530" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_logon_fail_delay" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_accounts_logon_fail_delay:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-accounts_passwords_pam_faillock_deny_root:def:1" version="4">
<ns3:metadata>
<ns3:title>Lock out the root account after failed login attempts</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The root account should be configured to deny access after the number of defined
failed attempts has been reached.</ns3:description>
<ns3:reference ref_id="RHEL7_20150122" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="accounts_passwords_pam_faillock_deny_root" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="pam_faillock.so preauth silent set in system-auth" test_ref="oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so authfail deny_root value set in system-auth" test_ref="oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so preauth silent set in password-auth" test_ref="oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1" />
<ns3:criterion comment="pam_faillock.so authfail deny_root value set in password-auth" test_ref="oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-clean_components_post_updating:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure YUM Removes Previous Package Versions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The clean_requirements_on_remove option should be used to ensure that old
versions of software components are removed after updating.</ns3:description>
<ns3:reference ref_id="20160524" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="clean_components_post_updating" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="check value of clean_requirements_on_remove in /etc/yum.conf" test_ref="oval:ssg-test_yum_clean_components_post_updating:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-enable_x11_forwarding:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable X11 Forwarding</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable X11Forwarding to encrypt X11 remote connections over SSH.</ns3:description>
<ns3:reference ref_id="20160410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="enable_x11_forwarding" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check X11Forwarding in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_x11_forwarding:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_gpgcheck_local_packages:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure gpgcheck Enabled for Local Packages</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The localpkg_gpgcheck option should be used to ensure that checking
of an RPM package's signature always occurs prior to its
installation.</ns3:description>
<ns3:reference ref_id="20160524" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ensure_gpgcheck_local_packages" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="check value of localpkg_gpgcheck in /etc/yum.conf" test_ref="oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ensure_gpgcheck_repo_metadata:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure gpgcheck Enabled for Repository Metadata</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The repo_gpgcheck option should be used to ensure that checking
of repository metadata always occurs.</ns3:description>
<ns3:reference ref_id="20160524" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="ensure_gpgcheck_repo_metadata" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="check value of repo_gpgcheck in /etc/yum.conf" test_ref="oval:ssg-test_yum_ensure_gpgcheck_repo_metadata:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_sshd_private_key:def:1" version="1">
<ns3:metadata>
<ns3:title>SSH Server Private Key Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>File permissions for the SSH Server's private keys should be
set to 0600 (or stronger). By default, these files are located at /etc/ssh.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_permissions_sshd_private_key" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_permissions_sshd_private_key:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_sshd_pub_key:def:1" version="1">
<ns3:metadata>
<ns3:title>SSHD Service Public Key Permissions</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>File permissions for the SSH Server's public keys should be
set to 0644 (or stronger). By default, these files are located at /etc/ssh.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="file_permissions_sshd_pub_key" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion test_ref="oval:ssg-test_file_permissions_sshd_pub_key:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_unauthorized_sgid:def:1" version="2">
<ns3:metadata>
<ns3:title>Find setgid files system packages</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>All files with setgid should be owned by a base system package</ns3:description>
<ns3:reference ref_id="RHEL7_20150703" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_unauthorized_sgid" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check all setgid files" test_ref="oval:ssg-check_setgid_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-file_permissions_unauthorized_suid:def:1" version="1">
<ns3:metadata>
<ns3:title>Find setuid files from system packages</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>All files with setuid should be owned by a base system package</ns3:description>
<ns3:reference ref_id="RHEL7_20150704" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="file_permissions_unauthorized_suid" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check all setuid files" test_ref="oval:ssg-check_setuid_files:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-grub2_enable_fips_mode:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable FIPS Mode in GRUB2</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Look for argument fips=1 in the kernel line in /etc/default/grub.</ns3:description>
<ns3:reference ref_id="20160608" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="grub2_enable_fips_mode" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="Installed OS is RHEL7" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1" />
<ns3:extend_definition comment="prelink disabled" definition_ref="oval:ssg-disable_prelink:def:1" />
<ns3:extend_definition comment="package dracut-fips installed" definition_ref="oval:ssg-package_dracut-fips_installed:def:1" />
<ns3:criteria operator="OR">
<ns3:criterion comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" test_ref="oval:ssg-test_grub2_enable_fips_mode:tst:1" />
<ns3:criteria operator="AND">
<ns3:criterion comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub" test_ref="oval:ssg-test_grub2_default_exists:tst:1" />
<ns3:criterion comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" test_ref="oval:ssg-test_grub2_enable_fips_mode_default:tst:1" />
<ns3:criterion comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" test_ref="oval:ssg-test_grub2_enable_fips_mode:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-install_PAE_kernel_on_x86-32:def:1" version="2">
<ns3:metadata>
<ns3:title>Package kernel-PAE Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package kernel-PAE should be installed on 32-bit
systems.</ns3:description>
<ns3:reference ref_id="RHEL7_20160621" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="install_PAE_kernel_on_x86-32" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="Not a 32-bit system" definition_ref="oval:ssg-system_info_architecture_x86:def:1" negate="true" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="A 32-bit system" definition_ref="oval:ssg-system_info_architecture_x86:def:1" />
<ns3:criterion comment="Package kernel-PAE is installed" test_ref="oval:ssg-test_package_kernel-PAE_installed:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-install_mcafee_hbss:def:1" version="1">
<ns3:metadata>
<ns3:title>Install McAfee Host-Based Intrusion Detection Software (HBSS)</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>McAfee Host-Based Intrusion Detection Software (HBSS) software
should be installed.</ns3:description>
<ns3:reference ref_id="20160408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="install_mcafee_hbss" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="McAfee runtime library package installed" test_ref="oval:ssg-test_mcafee_runtime_installed:tst:1" />
<ns3:criterion comment="McAfee management agent package installed" test_ref="oval:ssg-test_mcafee_management_agent:tst:1" />
<ns3:criterion comment="McAfee ACCM is installed" test_ref="oval:ssg-test_mcafee_accm_exists:tst:1" />
<ns3:criterion comment="McAfee Audit Engine is installed" test_ref="oval:ssg-test_mcafee_auditengine_exists:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_bluetooth_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable bluetooth Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module bluetooth should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_bluetooth_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module bluetooth disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_bluetooth_disabled:tst:1" />
<ns3:criterion comment="kernel module bluetooth disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module bluetooth disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module bluetooth disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module bluetooth disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_cramfs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable cramfs Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module cramfs should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_cramfs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module cramfs disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_cramfs_disabled:tst:1" />
<ns3:criterion comment="kernel module cramfs disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module cramfs disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module cramfs disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module cramfs disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_freevxfs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable freevxfs Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module freevxfs should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_freevxfs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module freevxfs disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_freevxfs_disabled:tst:1" />
<ns3:criterion comment="kernel module freevxfs disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module freevxfs disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_freevxfs_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module freevxfs disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_freevxfs_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module freevxfs disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_freevxfs_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_hfs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable hfs Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module hfs should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_hfs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module hfs disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_hfs_disabled:tst:1" />
<ns3:criterion comment="kernel module hfs disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_hfs_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module hfs disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_hfs_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module hfs disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_hfs_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module hfs disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_hfs_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_hfsplus_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable hfsplus Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module hfsplus should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_hfsplus_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module hfsplus disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_hfsplus_disabled:tst:1" />
<ns3:criterion comment="kernel module hfsplus disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module hfsplus disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_hfsplus_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module hfsplus disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_hfsplus_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module hfsplus disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_hfsplus_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_jffs2_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable jffs2 Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module jffs2 should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_jffs2_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module jffs2 disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_jffs2_disabled:tst:1" />
<ns3:criterion comment="kernel module jffs2 disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module jffs2 disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_jffs2_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module jffs2 disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_jffs2_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module jffs2 disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_jffs2_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_sctp_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable sctp Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module sctp should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_sctp_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module sctp disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_sctp_disabled:tst:1" />
<ns3:criterion comment="kernel module sctp disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_sctp_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module sctp disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module sctp disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_sctp_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module sctp disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_sctp_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_squashfs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable squashfs Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module squashfs should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_squashfs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module squashfs disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_squashfs_disabled:tst:1" />
<ns3:criterion comment="kernel module squashfs disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module squashfs disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_squashfs_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module squashfs disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_squashfs_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module squashfs disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_squashfs_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-kernel_module_udf_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable udf Kernel Module</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel module udf should be disabled.</ns3:description>
<ns3:reference ref_id="20150819" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="kernel_module_udf_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel module udf disabled in /etc/modprobe.d" test_ref="oval:ssg-test_kernmod_udf_disabled:tst:1" />
<ns3:criterion comment="kernel module udf disabled in /etc/modprobe.conf" test_ref="oval:ssg-test_kernmod_udf_modprobeconf:tst:1" />
<ns3:criterion comment="kernel module udf disabled in /etc/modules-load.d" test_ref="oval:ssg-test_kernmod_udf_etcmodules-load:tst:1" />
<ns3:criterion comment="kernel module udf disabled in /run/modules-load.d" test_ref="oval:ssg-test_kernmod_udf_runmodules-load:tst:1" />
<ns3:criterion comment="kernel module udf disabled in /usr/lib/modules-load.d" test_ref="oval:ssg-test_kernmod_udf_libmodules-load:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-mount_option_krb_sec_remote_filesystems:def:1" version="1">
<ns3:metadata>
<ns3:title>Mount Remote Filesystems with Kerberos Security</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The Kerberos security option should be enabled for all NFS mounts in /etc/fstab.</ns3:description>
<ns3:reference ref_id="mount_option_krb_sec_remote_filesystems" source="ssg" /></ns3:metadata>
<ns3:criteria operator="XOR">
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_no_nfs_defined_etc_fstab_krb_sec:tst:1" />
<ns3:criterion comment="remote nfs filesystems" test_ref="oval:ssg-test_nfs_krb_sec_etc_fstab:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-network_disable_ddns_interfaces:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Client Dynamic DNS Updates</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Clients should not automatically update their own
DNS record.</ns3:description>
<ns3:reference ref_id="20160406" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="network_disable_ddns_interfaces" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion test_ref="oval:ssg-test_network_disable_ddns_interfaces_ifcfg:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_network_disable_ddns_interfaces_dhclient:tst:1" />
<ns3:criterion test_ref="oval:ssg-test_network_disable_ddns_interfaces_dhcp:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_nails_enabled:def:1" version="2">
<ns3:metadata>
<ns3:title>Service nails Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The nails service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="service_nails_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="service nails is configured to start" operator="OR">
<ns3:criterion comment="nails runlevel 0" test_ref="oval:ssg-test_runlevel0_nails:tst:1" />
<ns3:criterion comment="nails runlevel 1" test_ref="oval:ssg-test_runlevel1_nails:tst:1" />
<ns3:criterion comment="nails runlevel 2" test_ref="oval:ssg-test_runlevel2_nails:tst:1" />
<ns3:criterion comment="nails runlevel 3" test_ref="oval:ssg-test_runlevel3_nails:tst:1" />
<ns3:criterion comment="nails runlevel 4" test_ref="oval:ssg-test_runlevel4_nails:tst:1" />
<ns3:criterion comment="nails runlevel 5" test_ref="oval:ssg-test_runlevel5_nails:tst:1" />
<ns3:criterion comment="nails runlevel 6" test_ref="oval:ssg-test_runlevel6_nails:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_sshd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service sshd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The sshd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_sshd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
<ns3:extend_definition comment="openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1" />
<ns3:criteria comment="service sshd is not configured to start" operator="OR">
<ns3:criterion comment="sshd not wanted by multi-user.target" test_ref="oval:ssg-test_sshd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_compression:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Compression Or Set Compression to delayed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>SSH should either have compression disabled or set to delayed.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_disable_compression" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check Compression in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_compression:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_gssapi_auth:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable GSSAPI Authentication</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Unless needed, disable the GSSAPI authentication option for
the SSH Server.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_disable_gssapi_auth" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check GSSAPIAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_gssapi_auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_disable_kerb_auth:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Kerberos Authentication</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Unless needed, disable the Kerberos authentication option for
the SSH Server.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_disable_kerb_auth" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check KerberosAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_kerb_auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_enable_strictmodes:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable SSH Server's Strict Mode</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable StrictMode to check users home directory permissions
and configurations.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_enable_strictmodes" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check StrictModes in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_strictmodes:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_print_last_log:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable Print Last Log</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable PrintLastLogStrict to display user's last login time
and date.</ns3:description>
<ns3:reference ref_id="20160410" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_print_last_log" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check PrintLastLog in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_printlastlog:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sshd_use_priv_separation:def:1" version="1">
<ns3:metadata>
<ns3:title>Use Priviledge Separation</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Use priviledge separation to cause the SSH process to drop
root privileges when not needed.</ns3:description>
<ns3:reference ref_id="20160401" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sshd_use_priv_separation" source="ssg" /></ns3:metadata>
<ns3:criteria comment="SSH is not being used or conditions are met" operator="OR">
<ns3:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1" />
<ns3:criterion comment="Check UsePrivilegeSeparation in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_use_priv_separation:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sssd_memcache_timeout:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure SSSD's Memory Cache to Expire</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>SSSD's memory cache should be configured to set to expire records after 1 day.</ns3:description>
<ns3:reference ref_id="20160527" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sssd_memcache_timeout" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check memcache_timeout in /etc/sssd/sssd.conf" test_ref="oval:ssg-test_sssd_memcache_timeout:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sssd_offline_cred_expiration:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure SSSD to Expire Offline Credentials</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>SSSD should be configured to expire offline credentials after 1 day.</ns3:description>
<ns3:reference ref_id="20160527" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sssd_offline_cred_expiration" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check offline_credentials_expiration in /etc/sssd/sssd.conf" test_ref="oval:ssg-test_sssd_offline_cred_expiration:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sssd_ssh_known_hosts_timeout:def:1" version="1">
<ns3:metadata>
<ns3:title>Configure SSSD to Expire SSH Known Hosts</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>SSSD should be configured to expire keys from known SSH hosts after 1 day.</ns3:description>
<ns3:reference ref_id="20160527" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sssd_ssh_known_hosts_timeout" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check ssh_known_hosts_timeout in /etc/sssd/sssd.conf" test_ref="oval:ssg-test_sssd_ssh_known_hosts_timeout:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sudo_remove_no_authenticate:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure !authenticate Is Not Used in Sudo</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Checks interactive shell timeout</ns3:description>
<ns3:reference ref_id="20160606" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sudo_remove_no_authenticate" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="!authenticate does not exist in /etc/sudoers" test_ref="oval:ssg-test_no_authenticate_etc_sudoers:tst:1" />
<ns3:criterion comment="!authenticate does not exist in /etc/sudoers.d" test_ref="oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sudo_remove_nopasswd:def:1" version="1">
<ns3:metadata>
<ns3:title>Ensure NOPASSWD Is Not Used in Sudo</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Checks interactive shell timeout</ns3:description>
<ns3:reference ref_id="20160606" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="sudo_remove_nopasswd" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="NOPASSWD is not configured in /etc/sudoers" test_ref="oval:ssg-test_nopasswd_etc_sudoers:tst:1" />
<ns3:criterion comment="NOPASSWD is not configured in /etc/sudoers.d" test_ref="oval:ssg-test_nopasswd_etc_sudoers_d:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_fs_suid_dumpable:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "fs.suid_dumpable" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "fs.suid_dumpable" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_fs_suid_dumpable" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="fs.suid_dumpable configuration setting check" definition_ref="oval:ssg-sysctl_static_fs_suid_dumpable:def:1" />
<ns3:extend_definition comment="fs.suid_dumpable runtime setting check" definition_ref="oval:ssg-sysctl_runtime_fs_suid_dumpable:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_accept_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_accept_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_accept_source_route:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_accept_source_route:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.log_martians configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_log_martians:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.log_martians runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_log_martians:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.rp_filter configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_rp_filter:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.rp_filter runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_rp_filter:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.secure_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_secure_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.secure_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_secure_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.all.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_all_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.all.send_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_all_send_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.all.send_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_all_send_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_accept_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_accept_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_accept_source_route:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_accept_source_route:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.log_martians" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.log_martians configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_log_martians:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.log_martians runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_log_martians:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.rp_filter" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.rp_filter configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_rp_filter:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.rp_filter runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_rp_filter:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.secure_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.secure_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_secure_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.secure_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_secure_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.conf.default.send_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_conf_default_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.conf.default.send_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_conf_default_send_redirects:def:1" />
<ns3:extend_definition comment="net.ipv4.conf.default.send_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_conf_default_send_redirects:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.icmp_echo_ignore_broadcasts" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.icmp_echo_ignore_broadcasts configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_icmp_echo_ignore_broadcasts:def:1" />
<ns3:extend_definition comment="net.ipv4.icmp_echo_ignore_broadcasts runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.icmp_ignore_bogus_error_responses" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.icmp_ignore_bogus_error_responses configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_icmp_ignore_bogus_error_responses:def:1" />
<ns3:extend_definition comment="net.ipv4.icmp_ignore_bogus_error_responses runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_ip_forward:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.ip_forward" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.ip_forward" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_ip_forward" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.ip_forward configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_ip_forward:def:1" />
<ns3:extend_definition comment="net.ipv4.ip_forward runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_ip_forward:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.tcp_syncookies" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv4.tcp_syncookies" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_net_ipv4_tcp_syncookies" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv4.tcp_syncookies configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv4_tcp_syncookies:def:1" />
<ns3:extend_definition comment="net.ipv4.tcp_syncookies runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv4_tcp_syncookies:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.all.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_all_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_ra set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.all.accept_ra configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_ra:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.all.accept_ra runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_ra:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.all.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_redirects set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.all.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_redirects:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.all.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_redirects:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.all.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_source_route set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.all.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_source_route:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.all.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_source_route:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_forwarding:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.all.forwarding" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_all_forwarding" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.all.forwarding set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.all.forwarding configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_all_forwarding:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.all.forwarding runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_all_forwarding:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.default.accept_ra" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_default_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_ra set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.default.accept_ra configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_ra:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.default.accept_ra runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_ra:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.default.accept_redirects" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_redirects set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.default.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_redirects:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.default.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_redirects:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1" version="4">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration and Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The "net.ipv6.conf.default.accept_source_route" kernel parameter should be set to the appropriate value in both system configuration and system runtime.</ns3:description>
<ns3:reference ref_id="RHEL7_20150408" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="sdw" />
<ns3:reference ref_id="sysctl_net_ipv6_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_source_route set correctly" operator="OR">
<ns3:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1" />
<ns3:criteria operator="AND">
<ns3:extend_definition comment="net.ipv6.conf.default.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_source_route:def:1" />
<ns3:extend_definition comment="net.ipv6.conf.default.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_source_route:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_fs_suid_dumpable:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "fs.suid_dumpable" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "fs.suid_dumpable" parameter should be set to "0" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_fs_suid_dumpable" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter fs.suid_dumpable set to 0" test_ref="oval:ssg-test_runtime_sysctl_fs_suid_dumpable:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_source_route" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.log_martians" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_log_martians:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.rp_filter" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_rp_filter:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.secure_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_secure_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_all_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.send_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_all_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_send_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_source_route" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.log_martians" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_log_martians:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.rp_filter" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_rp_filter:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_ip_forward:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.ip_forward" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.ip_forward" parameter should be set to "0" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_ip_forward" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.ip_forward set to 0" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_ip_forward:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.secure_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_secure_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_conf_default_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.send_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_conf_default_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_send_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_icmp_echo_ignore_broadcasts" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_icmp_ignore_bogus_error_responses" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv4_tcp_syncookies:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.tcp_syncookies" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv4_tcp_syncookies" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv4_tcp_syncookies:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_ra:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_ra" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_all_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_ra:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_all_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_source_route" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_all_forwarding:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.forwarding" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_all_forwarding" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_forwarding:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_ra:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_ra" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_default_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_ra:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_redirects" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_runtime_net_ipv6_conf_default_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_source_route" Parameter Runtime Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in system runtime.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_runtime_net_ipv6_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_fs_suid_dumpable:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "fs.suid_dumpable" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "fs.suid_dumpable" parameter should be set to "0" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_fs_suid_dumpable" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_fs_suid_dumpable:tst:1" />
<ns3:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_fs_suid_dumpable:tst:1" />
<ns3:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_fs_suid_dumpable:tst:1" />
<ns3:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_fs_suid_dumpable:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.accept_source_route" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.log_martians" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.log_martians" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.rp_filter" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.rp_filter" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.secure_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.secure_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_all_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.all.send_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.all.send_redirects" parameter should be set to "0" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_all_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.accept_source_route" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_log_martians:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.log_martians" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.log_martians" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_log_martians" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_log_martians:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_rp_filter:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.rp_filter" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.rp_filter" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_rp_filter" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_secure_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.secure_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.secure_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_secure_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_conf_default_send_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.conf.default.send_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.conf.default.send_redirects" parameter should be set to "0" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_conf_default_send_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_icmp_echo_ignore_broadcasts:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_echo_ignore_broadcasts" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.icmp_echo_ignore_broadcasts" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_icmp_echo_ignore_broadcasts" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_icmp_ignore_bogus_error_responses:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.icmp_ignore_bogus_error_responses" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.icmp_ignore_bogus_error_responses" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_icmp_ignore_bogus_error_responses" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_ip_forward:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.ip_forward" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.ip_forward" parameter should be set to "0" in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_ip_forward" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv4_tcp_syncookies:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv4.tcp_syncookies" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv4.tcp_syncookies" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv4_tcp_syncookies" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_ra:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_ra" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_ra" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_all_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_all_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_all_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.accept_source_route" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.accept_source_route" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_all_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_all_forwarding:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.all.forwarding" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.all.forwarding" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_all_forwarding" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.forwarding set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_all_forwarding:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.forwarding set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_forwarding:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.forwarding set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_forwarding:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.all.forwarding set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_forwarding:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_ra:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_ra" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_ra" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_default_accept_ra" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_redirects:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_redirects" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_redirects" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_default_accept_redirects" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-sysctl_static_net_ipv6_conf_default_accept_source_route:def:1" version="3">
<ns3:metadata>
<ns3:title>Kernel "net.ipv6.conf.default.accept_source_route" Parameter Configuration Check</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kernel "net.ipv6.conf.default.accept_source_route" parameter should be set to the appropriate value in the system configuration.</ns3:description>
<ns3:reference ref_id="20140912" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="sysctl_static_net_ipv6_conf_default_accept_source_route" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" />
<ns3:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /usr/lib/sysctl.d/*.conf" test_ref="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-use_kerberos_security_all_exports:def:1" version="3">
<ns3:metadata>
<ns3:title>Use Kerberos Security on All Exports</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Using Kerberos Security allows to cryptography authenticate a
valid user to an NFS share.</ns3:description>
<ns3:reference ref_id="20160411" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="use_kerberos_security_all_exports" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criterion comment="Check for Kerberos settings in /etc/exports" test_ref="oval:ssg-test_use_kerberos_security_all_exports:tst:1" />
<ns3:criterion comment="Check for a share in /etc/exports" negate="true" test_ref="oval:ssg-test_non_empty_exports_file:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-chronyd_specify_multiple_servers:def:1" version="1">
<ns3:metadata>
<ns3:title>Specify Multiple Remote chronyd NTP Servers for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Multiple chronyd NTP Servers for time synchronization should be specified.</ns3:description>
<ns3:reference ref_id="RHEL7_20150824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="chronyd_specify_multiple_servers" source="ssg" /></ns3:metadata>
<ns3:criteria comment="chrony.conf conditions are met">
<ns3:criterion test_ref="oval:ssg-test_chronyd_multiple_servers:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
<ns3:metadata>
<ns3:title>Specify a Remote NTP Server for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>A remote NTP Server for time synchronization should be
specified (and dependencies are met)</ns3:description>
<ns3:reference ref_id="RHEL7_20150824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="chronyd_specify_remote_server" source="ssg" /></ns3:metadata>
<ns3:criteria comment="chrony.conf conditions are met">
<ns3:criterion test_ref="oval:ssg-test_chronyd_remote_server:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-disable_ctrlaltdel_reboot:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Ctrl-Alt-Del Reboot Activation</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>By default, the system will reboot when the
Ctrl-Alt-Del key sequence is pressed.</ns3:description>
<ns3:reference ref_id="20160111" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="disable_ctrlaltdel_reboot" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Disable Ctrl-Alt-Del systemd softlink exists" test_ref="oval:ssg-test_disable_ctrlaltdel_exists:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dovecot_disable_plaintext_auth:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable Plaintext Authentication in Dovecot</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Plaintext authentication of mail clients should be disabled.</ns3:description>
<ns3:reference ref_id="RHEL7_20160208" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="dovecot_disable_plaintext_auth" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Disable Plaintext Authentication in Dovecot" operator="OR">
<ns3:extend_definition comment="dovecot service is disabled" definition_ref="oval:ssg-service_dovecot_disabled:def:1" />
<ns3:criterion test_ref="oval:ssg-test_dovecot_disable_plaintext_auth:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-dovecot_enable_ssl:def:1" version="1">
<ns3:metadata>
<ns3:title>Enable SSL in Dovecot</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>SSL capabilities should be enabled for the mail server.</ns3:description>
<ns3:reference ref_id="RHEL7_20160208" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="dovecot_enable_ssl" source="ssg" /></ns3:metadata>
<ns3:criteria comment="Enable SSL in Dovecot" operator="OR">
<ns3:extend_definition comment="dovecot service is disabled" definition_ref="oval:ssg-service_dovecot_disabled:def:1" />
<ns3:criterion test_ref="oval:ssg-test_dovecot_enable_ssl:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ntpd_specify_multiple_servers:def:1" version="2">
<ns3:metadata>
<ns3:title>Specify Multiple Remote ntpd NTP Server for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Multiple ntpd NTP Servers for time synchronization should be specified.</ns3:description>
<ns3:reference ref_id="RHEL7_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="ntpd_specify_multiple_servers" source="ssg" /></ns3:metadata>
<ns3:criteria comment="ntp.conf conditions are met">
<ns3:criterion test_ref="oval:ssg-test_ntpd_multiple_servers:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-ntpd_specify_remote_server:def:1" version="2">
<ns3:metadata>
<ns3:title>Specify a Remote ntpd NTP Server for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>A remote ntpd NTP Server for time synchronization should be
specified (and dependencies are met)</ns3:description>
<ns3:reference ref_id="RHEL7_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="ntpd_specify_remote_server" source="ssg" /></ns3:metadata>
<ns3:criteria comment="ntp.conf conditions are met">
<ns3:criterion test_ref="oval:ssg-test_ntp_remote_server:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_chrony_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package chrony Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package chrony should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_chrony_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package chrony is installed" test_ref="oval:ssg-test_package_chrony_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_cronie_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package cronie Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package cronie should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20150923" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="FEDORA22_20150923" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_cronie_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package cronie is installed" test_ref="oval:ssg-test_package_cronie_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_firewalld_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package firewalld Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package firewalld should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_firewalld_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package firewalld is installed" test_ref="oval:ssg-test_package_firewalld_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-postfix_network_listening_disabled:def:1" version="2">
<ns3:metadata>
<ns3:title>Postfix network listening should be disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Postfix network listening should be disabled</ns3:description>
<ns3:reference ref_id="RHEL7_20160802" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="postfix_network_listening_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:extend_definition comment="Postfix installed and configured to start" definition_ref="oval:ssg-service_postfix_enabled:def:1" negate="true" />
<ns3:criterion comment="Check inet_interfaces in /etc/postfix/main.cf" test_ref="oval:ssg-test_postfix_network_listening_disabled:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rsyslog_files_groupownership:def:1" version="1">
<ns3:metadata>
<ns3:title>Confirm Existence and Permissions of System Log Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>All syslog log files should be owned by the appropriate group.</ns3:description>
<ns3:reference ref_id="RHEL6_20160115" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="rsyslog_files_groupownership" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check if all system log files are owned by root group" test_ref="oval:ssg-test_rsyslog_files_groupownership:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rsyslog_files_ownership:def:1" version="1">
<ns3:metadata>
<ns3:title>Confirm Existence and Permissions of System Log Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Debian 8</ns3:platform>
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>All syslog log files should be owned by the appropriate user.</ns3:description>
<ns3:reference ref_id="RHEL6_20160115" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="rsyslog_files_ownership" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check if all system log files are owned by root user" test_ref="oval:ssg-test_rsyslog_files_ownership:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-rsyslog_files_permissions:def:1" version="1">
<ns3:metadata>
<ns3:title>Confirm Existence and Permissions of System Log Files</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>File permissions for all syslog log files should be set correctly.</ns3:description>
<ns3:reference ref_id="RHEL6_20160115" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="RHEL7_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="FEDORA22_20150827" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="rsyslog_files_permissions" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="Check permissions of all system log files" test_ref="oval:ssg-test_rsyslog_files_permissions:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_dovecot_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service dovecot Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The dovecot service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_dovecot_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package dovecot removed or service dovecot is not configured to start" operator="OR">
<ns3:extend_definition comment="dovecot removed" definition_ref="oval:ssg-package_dovecot_removed:def:1" />
<ns3:criteria comment="service dovecot is not configured to start" operator="OR">
<ns3:criterion comment="dovecot not wanted by multi-user.target" test_ref="oval:ssg-test_dovecot_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-xwindows_runlevel_setting:def:1" version="1">
<ns3:metadata>
<ns3:title>Disable X Windows Startup By Setting Default SystemD Target</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Fedora 22</ns3:platform>
<ns3:platform>Fedora 23</ns3:platform>
<ns3:platform>Fedora 24</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Checks /etc/systemd/system/default.target to ensure that the default runlevel target is set to multi-user.target.</ns3:description>
<ns3:reference ref_id="20160111" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="xwindows_runlevel_setting" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="default.target systemd softlink exists" test_ref="oval:ssg-test_disable_xwindows_runlevel:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1" version="1">
<ns3:metadata>
<ns3:title>Specify Multiple Remote chronyd Or ntpd NTP Servers for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)</ns3:description>
<ns3:reference ref_id="RHEL7_20150824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="chronyd_or_ntpd_specify_multiple_servers" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria comment="chronyd enabled and multiple remote servers specified" operator="AND">
<ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1" />
<ns3:extend_definition comment="multiple chronyd remote servers specified" definition_ref="oval:ssg-chronyd_specify_multiple_servers:def:1" />
</ns3:criteria>
<ns3:criteria comment="ntpd enabled and multile remote servers specified" operator="AND">
<ns3:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1" />
<ns3:extend_definition comment="multiple ntpd remote servers specified" definition_ref="oval:ssg-ntpd_specify_multiple_servers:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1" version="1">
<ns3:metadata>
<ns3:title>Specify Remote NTP chronyd Or ntpd Server for Time Data</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)</ns3:description>
<ns3:reference ref_id="RHEL7_20150824" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="chronyd_or_ntpd_specify_remote_server" source="ssg" /></ns3:metadata>
<ns3:criteria operator="OR">
<ns3:criteria comment="chronyd enabled and remote server specified" operator="AND">
<ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1" />
<ns3:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1" />
</ns3:criteria>
<ns3:criteria comment="ntpd enabled and remote server specified" operator="AND">
<ns3:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1" />
<ns3:extend_definition comment="ntpd remote server specified" definition_ref="oval:ssg-ntpd_specify_remote_server:def:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_abrt_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package abrt Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package abrt should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20160221" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_abrt_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package abrt is removed" test_ref="oval:ssg-test_package_abrt_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_acpid_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package acpid Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package acpid should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_acpid_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package acpid is removed" test_ref="oval:ssg-test_package_acpid_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_at_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package at Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package at should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_at_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package at is removed" test_ref="oval:ssg-test_package_at_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_autofs_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package autofs Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package autofs should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_autofs_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package autofs is removed" test_ref="oval:ssg-test_package_autofs_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_avahi_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package avahi Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package avahi should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_avahi_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package avahi is removed" test_ref="oval:ssg-test_package_avahi_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_bluez_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package bluez Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package bluez should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_bluez_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package bluez is removed" test_ref="oval:ssg-test_package_bluez_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_certmonger_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package certmonger Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package certmonger should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_certmonger_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package certmonger is removed" test_ref="oval:ssg-test_package_certmonger_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_cups_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package cups Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package cups should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_cups_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package cups is removed" test_ref="oval:ssg-test_package_cups_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_cyrus-sasl_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package cyrus-sasl Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package cyrus-sasl should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_cyrus-sasl_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package cyrus-sasl is removed" test_ref="oval:ssg-test_package_cyrus-sasl_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_dbus_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package dbus Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package dbus should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_dbus_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package dbus is removed" test_ref="oval:ssg-test_package_dbus_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_esc_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package esc Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package esc should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_esc_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package esc is installed" test_ref="oval:ssg-test_package_esc_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_iputils_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package iputils Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package iputils should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_iputils_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package iputils is removed" test_ref="oval:ssg-test_package_iputils_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_irqbalance_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package irqbalance Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package irqbalance should be installed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_irqbalance_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package irqbalance is installed" test_ref="oval:ssg-test_package_irqbalance_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_kernel-tools_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package kernel-tools Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package kernel-tools should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_kernel-tools_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package kernel-tools is removed" test_ref="oval:ssg-test_package_kernel-tools_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_kexec-tools_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package kexec-tools Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package kexec-tools should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_kexec-tools_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package kexec-tools is removed" test_ref="oval:ssg-test_package_kexec-tools_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_libcgroup-tools_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package libcgroup-tools Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package libcgroup-tools should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_libcgroup-tools_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package libcgroup-tools is removed" test_ref="oval:ssg-test_package_libcgroup-tools_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_libcgroup_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package libcgroup Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package libcgroup should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_libcgroup_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package libcgroup is removed" test_ref="oval:ssg-test_package_libcgroup_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_mdadm_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package mdadm Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package mdadm should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_mdadm_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package mdadm is removed" test_ref="oval:ssg-test_package_mdadm_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_nfs-utils_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package nfs-utils Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package nfs-utils should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_nfs-utils_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package nfs-utils is removed" test_ref="oval:ssg-test_package_nfs-utils_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_ntpdate_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package ntpdate Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package ntpdate should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_ntpdate_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package ntpdate is removed" test_ref="oval:ssg-test_package_ntpdate_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_oddjob_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package oddjob Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package oddjob should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20150606" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_oddjob_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package oddjob is removed" test_ref="oval:ssg-test_package_oddjob_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_openssh-server_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package openssh-server Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package openssh-server should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_openssh-server_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package openssh-server is installed" test_ref="oval:ssg-test_package_openssh-server_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_pam_pkcs11_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package pam_pkcs11 Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package pam_pkcs11 should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_pam_pkcs11_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package pam_pkcs11 is installed" test_ref="oval:ssg-test_package_pam_pkcs11_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_pcsc-lite_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package pcsc-lite Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package pcsc-lite should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20151130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_pcsc-lite_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package pcsc-lite is installed" test_ref="oval:ssg-test_package_pcsc-lite_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_portreserve_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package portreserve Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package portreserve should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_portreserve_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package portreserve is removed" test_ref="oval:ssg-test_package_portreserve_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_postfix_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package postfix Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package postfix should be installed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_postfix_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package postfix is installed" test_ref="oval:ssg-test_package_postfix_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_psacct_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package psacct Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package psacct should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_psacct_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package psacct is installed" test_ref="oval:ssg-test_package_psacct_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_qpid-cpp-server_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package qpid-cpp-server Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package qpid-cpp-server should be removed.</ns3:description>
<ns3:reference ref_id="RHEL7_20150606" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_qpid-cpp-server_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package qpid-cpp-server is removed" test_ref="oval:ssg-test_package_qpid-cpp-server_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_quagga_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package quagga Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package quagga should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_quagga_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package quagga is removed" test_ref="oval:ssg-test_package_quagga_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_quota-nld_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package quota-nld Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package quota-nld should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_quota-nld_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package quota-nld is removed" test_ref="oval:ssg-test_package_quota-nld_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_rhnsd_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package rhnsd Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package rhnsd should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_rhnsd_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package rhnsd is removed" test_ref="oval:ssg-test_package_rhnsd_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_samba_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package samba Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package samba should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_samba_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package samba is removed" test_ref="oval:ssg-test_package_samba_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_smartmontools_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package smartmontools Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package smartmontools should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_smartmontools_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package smartmontools is removed" test_ref="oval:ssg-test_package_smartmontools_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_sssd_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package sssd Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package sssd should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_sssd_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package sssd is installed" test_ref="oval:ssg-test_package_sssd_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_subscription-manager_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package subscription-manager Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package subscription-manager should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_subscription-manager_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package subscription-manager is removed" test_ref="oval:ssg-test_package_subscription-manager_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_sysstat_removed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package sysstat Removed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
<ns3:platform>Red Hat Enterprise Linux 6</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package sysstat should be removed.</ns3:description>
<ns3:reference ref_id="20130829" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="swells" />
<ns3:reference ref_id="package_sysstat_removed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package sysstat is removed" test_ref="oval:ssg-test_package_sysstat_removed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_tcp_wrappers_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package tcp_wrappers Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package tcp_wrappers should be installed.</ns3:description>
<ns3:reference ref_id="20160330" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="package_tcp_wrappers_installed" source="ssg" /></ns3:metadata>
<ns3:criteria operator="AND">
<ns3:extend_definition comment="xinetd package installed" definition_ref="oval:ssg-package_xinetd_installed:def:1" />
<ns3:criterion comment="package tcp_wrappers is installed" test_ref="oval:ssg-test_package_tcp_wrappers_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-package_xinetd_installed:def:1" version="1">
<ns3:metadata>
<ns3:title>Package xinetd Installed</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The RPM package xinetd should be installed.</ns3:description>
<ns3:reference ref_id="RHEL7_20140921" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="package_xinetd_installed" source="ssg" /></ns3:metadata>
<ns3:criteria>
<ns3:criterion comment="package xinetd is installed" test_ref="oval:ssg-test_package_xinetd_installed:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-pcscd_activation_socket_enabled:def:1" version="2">
<ns3:metadata>
<ns3:title>pcscd.socket Activation Socket Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The pcscd.socket activation socket should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20151130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="pcscd_activation_socket_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package pcsc-lite installed and pcscd.socket activation socket is configured to start" operator="AND">
<ns3:extend_definition comment="pcsc-lite installed" definition_ref="oval:ssg-package_pcsc-lite_installed:def:1" />
<ns3:criteria comment="pcscd.socket activation socket is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants pcscd.socket" test_ref="oval:ssg-test_multi_user_wants_pcscd.socket:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_abrtd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service abrtd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The abrtd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_abrtd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package abrt removed or service abrtd is not configured to start" operator="OR">
<ns3:extend_definition comment="abrt removed" definition_ref="oval:ssg-package_abrt_removed:def:1" />
<ns3:criteria comment="service abrtd is not configured to start" operator="OR">
<ns3:criterion comment="abrtd not wanted by multi-user.target" test_ref="oval:ssg-test_abrtd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_acpid_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service acpid Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The acpid service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_acpid_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package acpid removed or service acpid is not configured to start" operator="OR">
<ns3:extend_definition comment="acpid removed" definition_ref="oval:ssg-package_acpid_removed:def:1" />
<ns3:criteria comment="service acpid is not configured to start" operator="OR">
<ns3:criterion comment="acpid not wanted by multi-user.target" test_ref="oval:ssg-test_acpid_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_atd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service atd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The atd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_atd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package at removed or service atd is not configured to start" operator="OR">
<ns3:extend_definition comment="at removed" definition_ref="oval:ssg-package_at_removed:def:1" />
<ns3:criteria comment="service atd is not configured to start" operator="OR">
<ns3:criterion comment="atd not wanted by multi-user.target" test_ref="oval:ssg-test_atd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_auditd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service auditd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The auditd service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_auditd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package audit installed and service auditd is configured to start" operator="AND">
<ns3:extend_definition comment="audit installed" definition_ref="oval:ssg-package_audit_installed:def:1" />
<ns3:criteria comment="service auditd is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants auditd" test_ref="oval:ssg-test_multi_user_wants_auditd:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service autofs Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The autofs service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_autofs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package autofs removed or service autofs is not configured to start" operator="OR">
<ns3:extend_definition comment="autofs removed" definition_ref="oval:ssg-package_autofs_removed:def:1" />
<ns3:criteria comment="service autofs is not configured to start" operator="OR">
<ns3:criterion comment="autofs not wanted by multi-user.target" test_ref="oval:ssg-test_autofs_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_avahi-daemon_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service avahi-daemon Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The avahi-daemon service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_avahi-daemon_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package avahi removed or service avahi-daemon is not configured to start" operator="OR">
<ns3:extend_definition comment="avahi removed" definition_ref="oval:ssg-package_avahi_removed:def:1" />
<ns3:criteria comment="service avahi-daemon is not configured to start" operator="OR">
<ns3:criterion comment="avahi-daemon not wanted by multi-user.target" test_ref="oval:ssg-test_avahi-daemon_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_bluetooth_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service bluetooth Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The bluetooth service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_bluetooth_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package bluez removed or service bluetooth is not configured to start" operator="OR">
<ns3:extend_definition comment="bluez removed" definition_ref="oval:ssg-package_bluez_removed:def:1" />
<ns3:criteria comment="service bluetooth is not configured to start" operator="OR">
<ns3:criterion comment="bluetooth not wanted by multi-user.target" test_ref="oval:ssg-test_bluetooth_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_certmonger_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service certmonger Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The certmonger service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_certmonger_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package certmonger removed or service certmonger is not configured to start" operator="OR">
<ns3:extend_definition comment="certmonger removed" definition_ref="oval:ssg-package_certmonger_removed:def:1" />
<ns3:criteria comment="service certmonger is not configured to start" operator="OR">
<ns3:criterion comment="certmonger not wanted by multi-user.target" test_ref="oval:ssg-test_certmonger_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_cgconfig_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service cgconfig Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The cgconfig service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_cgconfig_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package libcgroup removed or service cgconfig is not configured to start" operator="OR">
<ns3:extend_definition comment="libcgroup removed" definition_ref="oval:ssg-package_libcgroup_removed:def:1" />
<ns3:criteria comment="service cgconfig is not configured to start" operator="OR">
<ns3:criterion comment="cgconfig not wanted by multi-user.target" test_ref="oval:ssg-test_cgconfig_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_cgred_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service cgred Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The cgred service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_cgred_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package libcgroup-tools removed or service cgred is not configured to start" operator="OR">
<ns3:extend_definition comment="libcgroup-tools removed" definition_ref="oval:ssg-package_libcgroup-tools_removed:def:1" />
<ns3:criteria comment="service cgred is not configured to start" operator="OR">
<ns3:criterion comment="cgred not wanted by multi-user.target" test_ref="oval:ssg-test_cgred_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service chronyd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The chronyd service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_chronyd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package chrony installed and service chronyd is configured to start" operator="AND">
<ns3:extend_definition comment="chrony installed" definition_ref="oval:ssg-package_chrony_installed:def:1" />
<ns3:criteria comment="service chronyd is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_chronyd_or_ntpd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service chronyd Or Service ntpd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>At least one of the chronyd or ntpd services should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150705" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_chronyd_or_ntpd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="chronyd or ntpd service enabled" operator="OR">
<ns3:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1" />
<ns3:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_cpupower_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service cpupower Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The cpupower service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_cpupower_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package kernel-tools removed or service cpupower is not configured to start" operator="OR">
<ns3:extend_definition comment="kernel-tools removed" definition_ref="oval:ssg-package_kernel-tools_removed:def:1" />
<ns3:criteria comment="service cpupower is not configured to start" operator="OR">
<ns3:criterion comment="cpupower not wanted by multi-user.target" test_ref="oval:ssg-test_cpupower_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_crond_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service crond Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The crond service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_crond_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package cronie installed and service crond is configured to start" operator="AND">
<ns3:extend_definition comment="cronie installed" definition_ref="oval:ssg-package_cronie_installed:def:1" />
<ns3:criteria comment="service crond is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants crond" test_ref="oval:ssg-test_multi_user_wants_crond:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_cups_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service cups Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The cups service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_cups_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package cups removed or service cups is not configured to start" operator="OR">
<ns3:extend_definition comment="cups removed" definition_ref="oval:ssg-package_cups_removed:def:1" />
<ns3:criteria comment="service cups is not configured to start" operator="OR">
<ns3:criterion comment="cups not wanted by multi-user.target" test_ref="oval:ssg-test_cups_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_debug-shell_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service debug-shell Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The debug-shell service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20151014" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="service_debug-shell_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package debug-shell removed or service debug-shell is not configured to start" operator="AND">
<ns3:criterion comment="debug-shell not wanted by multi-user.target" test_ref="oval:ssg-test_debug-shell_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_dhcpd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service dhcpd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The dhcpd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_dhcpd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package dhcp removed or service dhcpd is not configured to start" operator="OR">
<ns3:extend_definition comment="dhcp removed" definition_ref="oval:ssg-package_dhcp_removed:def:1" />
<ns3:criteria comment="service dhcpd is not configured to start" operator="OR">
<ns3:criterion comment="dhcpd not wanted by multi-user.target" test_ref="oval:ssg-test_dhcpd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_firewalld_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service firewalld Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The firewalld service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_firewalld_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package firewalld installed and service firewalld is configured to start" operator="AND">
<ns3:extend_definition comment="firewalld installed" definition_ref="oval:ssg-package_firewalld_installed:def:1" />
<ns3:criteria comment="service firewalld is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants firewalld" test_ref="oval:ssg-test_multi_user_wants_firewalld:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_httpd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service httpd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The httpd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_httpd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package httpd removed or service httpd is not configured to start" operator="OR">
<ns3:extend_definition comment="httpd removed" definition_ref="oval:ssg-package_httpd_removed:def:1" />
<ns3:criteria comment="service httpd is not configured to start" operator="OR">
<ns3:criterion comment="httpd not wanted by multi-user.target" test_ref="oval:ssg-test_httpd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_irqbalance_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service irqbalance Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The irqbalance service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_irqbalance_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package irqbalance installed and service irqbalance is configured to start" operator="AND">
<ns3:extend_definition comment="irqbalance installed" definition_ref="oval:ssg-package_irqbalance_installed:def:1" />
<ns3:criteria comment="service irqbalance is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants irqbalance" test_ref="oval:ssg-test_multi_user_wants_irqbalance:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_kdump_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service kdump Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The kdump service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_kdump_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package kexec-tools removed or service kdump is not configured to start" operator="OR">
<ns3:extend_definition comment="kexec-tools removed" definition_ref="oval:ssg-package_kexec-tools_removed:def:1" />
<ns3:criteria comment="service kdump is not configured to start" operator="OR">
<ns3:criterion comment="kdump not wanted by multi-user.target" test_ref="oval:ssg-test_kdump_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_mdmonitor_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service mdmonitor Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The mdmonitor service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_mdmonitor_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package mdadm removed or service mdmonitor is not configured to start" operator="OR">
<ns3:extend_definition comment="mdadm removed" definition_ref="oval:ssg-package_mdadm_removed:def:1" />
<ns3:criteria comment="service mdmonitor is not configured to start" operator="OR">
<ns3:criterion comment="mdmonitor not wanted by multi-user.target" test_ref="oval:ssg-test_mdmonitor_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_messagebus_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service messagebus Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The messagebus service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_messagebus_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package dbus removed or service messagebus is not configured to start" operator="OR">
<ns3:extend_definition comment="dbus removed" definition_ref="oval:ssg-package_dbus_removed:def:1" />
<ns3:criteria comment="service messagebus is not configured to start" operator="OR">
<ns3:criterion comment="messagebus not wanted by multi-user.target" test_ref="oval:ssg-test_messagebus_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_named_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service named Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The named service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_named_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package bind removed or service named is not configured to start" operator="OR">
<ns3:extend_definition comment="bind removed" definition_ref="oval:ssg-package_bind_removed:def:1" />
<ns3:criteria comment="service named is not configured to start" operator="OR">
<ns3:criterion comment="named not wanted by multi-user.target" test_ref="oval:ssg-test_named_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_netconsole_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service netconsole Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The netconsole service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_netconsole_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="service netconsole is not configured to start" operator="OR">
<ns3:criterion comment="netconsole not wanted by multi-user.target" test_ref="oval:ssg-test_netconsole_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_nfs_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service nfs Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The nfs service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_nfs_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service nfs is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service nfs is not configured to start" operator="OR">
<ns3:criterion comment="nfs not wanted by multi-user.target" test_ref="oval:ssg-test_nfs_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_nfslock_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service nfslock Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The nfslock service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_nfslock_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service nfslock is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service nfslock is not configured to start" operator="OR">
<ns3:criterion comment="nfslock not wanted by multi-user.target" test_ref="oval:ssg-test_nfslock_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_ntpd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service ntpd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The ntpd service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_ntpd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
<ns3:extend_definition comment="ntp installed" definition_ref="oval:ssg-package_ntp_installed:def:1" />
<ns3:criteria comment="service ntpd is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants ntpd" test_ref="oval:ssg-test_multi_user_wants_ntpd:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_ntpdate_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service ntpdate Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The ntpdate service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_ntpdate_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package ntpdate removed or service ntpdate is not configured to start" operator="OR">
<ns3:extend_definition comment="ntpdate removed" definition_ref="oval:ssg-package_ntpdate_removed:def:1" />
<ns3:criteria comment="service ntpdate is not configured to start" operator="OR">
<ns3:criterion comment="ntpdate not wanted by multi-user.target" test_ref="oval:ssg-test_ntpdate_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_oddjobd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service oddjobd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The oddjobd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_oddjobd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package oddjob removed or service oddjobd is not configured to start" operator="OR">
<ns3:extend_definition comment="oddjob removed" definition_ref="oval:ssg-package_oddjob_removed:def:1" />
<ns3:criteria comment="service oddjobd is not configured to start" operator="OR">
<ns3:criterion comment="oddjobd not wanted by multi-user.target" test_ref="oval:ssg-test_oddjobd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_portreserve_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service portreserve Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The portreserve service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_portreserve_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package portreserve removed or service portreserve is not configured to start" operator="OR">
<ns3:extend_definition comment="portreserve removed" definition_ref="oval:ssg-package_portreserve_removed:def:1" />
<ns3:criteria comment="service portreserve is not configured to start" operator="OR">
<ns3:criterion comment="portreserve not wanted by multi-user.target" test_ref="oval:ssg-test_portreserve_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_postfix_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service postfix Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The postfix service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_postfix_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package postfix installed and service postfix is configured to start" operator="AND">
<ns3:extend_definition comment="postfix installed" definition_ref="oval:ssg-package_postfix_installed:def:1" />
<ns3:criteria comment="service postfix is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants postfix" test_ref="oval:ssg-test_multi_user_wants_postfix:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_psacct_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service psacct Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The psacct service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_psacct_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package psacct installed and service psacct is configured to start" operator="AND">
<ns3:extend_definition comment="psacct installed" definition_ref="oval:ssg-package_psacct_installed:def:1" />
<ns3:criteria comment="service psacct is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants psacct" test_ref="oval:ssg-test_multi_user_wants_psacct:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_qpidd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service qpidd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The qpidd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_qpidd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package qpid-cpp-server removed or service qpidd is not configured to start" operator="OR">
<ns3:extend_definition comment="qpid-cpp-server removed" definition_ref="oval:ssg-package_qpid-cpp-server_removed:def:1" />
<ns3:criteria comment="service qpidd is not configured to start" operator="OR">
<ns3:criterion comment="qpidd not wanted by multi-user.target" test_ref="oval:ssg-test_qpidd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_quota_nld_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service quota_nld Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The quota_nld service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_quota_nld_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package quota-nld removed or service quota_nld is not configured to start" operator="OR">
<ns3:extend_definition comment="quota-nld removed" definition_ref="oval:ssg-package_quota-nld_removed:def:1" />
<ns3:criteria comment="service quota_nld is not configured to start" operator="OR">
<ns3:criterion comment="quota_nld not wanted by multi-user.target" test_ref="oval:ssg-test_quota_nld_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rdisc_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rdisc Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rdisc service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rdisc_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package iputils removed or service rdisc is not configured to start" operator="OR">
<ns3:extend_definition comment="iputils removed" definition_ref="oval:ssg-package_iputils_removed:def:1" />
<ns3:criteria comment="service rdisc is not configured to start" operator="OR">
<ns3:criterion comment="rdisc not wanted by multi-user.target" test_ref="oval:ssg-test_rdisc_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rexec_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rexec Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rexec service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="service_rexec_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package rsh-server removed or socket rexec is not configured to start" operator="OR">
<ns3:extend_definition comment="rsh-server removed" definition_ref="oval:ssg-package_rsh-server_removed:def:1" />
<ns3:criteria comment="socket rexec is not configured to start" operator="AND">
<ns3:criterion comment="rexec not wanted by multi-user.target" test_ref="oval:ssg-test_rexec_not_wanted_by_multi_user_target:tst:1" />
<ns3:criterion comment="rexec disabled" test_ref="oval:ssg-test_etc_xinetd_rexec_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rhnsd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rhnsd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rhnsd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rhnsd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package rhnsd removed or service rhnsd is not configured to start" operator="OR">
<ns3:extend_definition comment="rhnsd removed" definition_ref="oval:ssg-package_rhnsd_removed:def:1" />
<ns3:criteria comment="service rhnsd is not configured to start" operator="OR">
<ns3:criterion comment="rhnsd not wanted by multi-user.target" test_ref="oval:ssg-test_rhnsd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rhsmcertd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rhsmcertd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rhsmcertd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rhsmcertd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package subscription-manager removed or service rhsmcertd is not configured to start" operator="OR">
<ns3:extend_definition comment="subscription-manager removed" definition_ref="oval:ssg-package_subscription-manager_removed:def:1" />
<ns3:criteria comment="service rhsmcertd is not configured to start" operator="OR">
<ns3:criterion comment="rhsmcertd not wanted by multi-user.target" test_ref="oval:ssg-test_rhsmcertd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rlogin_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rlogin Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rlogin service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="service_rlogin_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package rsh-server removed or socket rlogin is not configured to start" operator="OR">
<ns3:extend_definition comment="rsh-server removed" definition_ref="oval:ssg-package_rsh-server_removed:def:1" />
<ns3:criteria comment="socket rlogin is not configured to start" operator="AND">
<ns3:criterion comment="rlogin not wanted by multi-user.target" test_ref="oval:ssg-test_rlogin_not_wanted_by_multi_user_target:tst:1" />
<ns3:criterion comment="rlogin disabled" test_ref="oval:ssg-test_etc_xinetd_rlogin_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rpcbind_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rpcbind Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rpcbind service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rpcbind_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service rpcbind is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service rpcbind is not configured to start" operator="OR">
<ns3:criterion comment="rpcbind not wanted by multi-user.target" test_ref="oval:ssg-test_rpcbind_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rpcgssd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rpcgssd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rpcgssd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rpcgssd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service rpcgssd is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service rpcgssd is not configured to start" operator="OR">
<ns3:criterion comment="rpcgssd not wanted by multi-user.target" test_ref="oval:ssg-test_rpcgssd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rpcidmapd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rpcidmapd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rpcidmapd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rpcidmapd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service rpcidmapd is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service rpcidmapd is not configured to start" operator="OR">
<ns3:criterion comment="rpcidmapd not wanted by multi-user.target" test_ref="oval:ssg-test_rpcidmapd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rpcsvcgssd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rpcsvcgssd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rpcsvcgssd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rpcsvcgssd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package nfs-utils removed or service rpcsvcgssd is not configured to start" operator="OR">
<ns3:extend_definition comment="nfs-utils removed" definition_ref="oval:ssg-package_nfs-utils_removed:def:1" />
<ns3:criteria comment="service rpcsvcgssd is not configured to start" operator="OR">
<ns3:criterion comment="rpcsvcgssd not wanted by multi-user.target" test_ref="oval:ssg-test_rpcsvcgssd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rsh_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rsh Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rsh service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="service_rsh_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package rsh-server removed or socket rsh is not configured to start" operator="OR">
<ns3:extend_definition comment="rsh-server removed" definition_ref="oval:ssg-package_rsh-server_removed:def:1" />
<ns3:criteria comment="socket rsh is not configured to start" operator="AND">
<ns3:criterion comment="rsh not wanted by multi-user.target" test_ref="oval:ssg-test_rsh_not_wanted_by_multi_user_target:tst:1" />
<ns3:criterion comment="rsh disabled" test_ref="oval:ssg-test_etc_xinetd_rsh_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_rsyslog_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service rsyslog Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The rsyslog service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_rsyslog_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package rsyslog installed and service rsyslog is configured to start" operator="AND">
<ns3:extend_definition comment="rsyslog installed" definition_ref="oval:ssg-package_rsyslog_installed:def:1" />
<ns3:criteria comment="service rsyslog is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants rsyslog" test_ref="oval:ssg-test_multi_user_wants_rsyslog:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_saslauthd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service saslauthd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The saslauthd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_saslauthd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package cyrus-sasl removed or service saslauthd is not configured to start" operator="OR">
<ns3:extend_definition comment="cyrus-sasl removed" definition_ref="oval:ssg-package_cyrus-sasl_removed:def:1" />
<ns3:criteria comment="service saslauthd is not configured to start" operator="OR">
<ns3:criterion comment="saslauthd not wanted by multi-user.target" test_ref="oval:ssg-test_saslauthd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_smartd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service smartd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The smartd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_smartd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package smartmontools removed or service smartd is not configured to start" operator="OR">
<ns3:extend_definition comment="smartmontools removed" definition_ref="oval:ssg-package_smartmontools_removed:def:1" />
<ns3:criteria comment="service smartd is not configured to start" operator="OR">
<ns3:criterion comment="smartd not wanted by multi-user.target" test_ref="oval:ssg-test_smartd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_smb_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service smb Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The smb service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_smb_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package samba removed or service smb is not configured to start" operator="OR">
<ns3:extend_definition comment="samba removed" definition_ref="oval:ssg-package_samba_removed:def:1" />
<ns3:criteria comment="service smb is not configured to start" operator="OR">
<ns3:criterion comment="smb not wanted by multi-user.target" test_ref="oval:ssg-test_smb_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_snmpd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service snmpd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The snmpd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_snmpd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package net-snmp removed or service snmpd is not configured to start" operator="OR">
<ns3:extend_definition comment="net-snmp removed" definition_ref="oval:ssg-package_net-snmp_removed:def:1" />
<ns3:criteria comment="service snmpd is not configured to start" operator="OR">
<ns3:criterion comment="snmpd not wanted by multi-user.target" test_ref="oval:ssg-test_snmpd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_squid_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service squid Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The squid service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_squid_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package squid removed or service squid is not configured to start" operator="OR">
<ns3:extend_definition comment="squid removed" definition_ref="oval:ssg-package_squid_removed:def:1" />
<ns3:criteria comment="service squid is not configured to start" operator="OR">
<ns3:criterion comment="squid not wanted by multi-user.target" test_ref="oval:ssg-test_squid_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_sshd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service sshd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The sshd service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_sshd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package openssh-server installed and service sshd is configured to start" operator="AND">
<ns3:extend_definition comment="openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1" />
<ns3:criteria comment="service sshd is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants sshd" test_ref="oval:ssg-test_multi_user_wants_sshd:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_sssd_enabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service sssd Enabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The sssd service should be enabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_sssd_enabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package sssd installed and service sssd is configured to start" operator="AND">
<ns3:extend_definition comment="sssd installed" definition_ref="oval:ssg-package_sssd_installed:def:1" />
<ns3:criteria comment="service sssd is configured to start" operator="OR">
<ns3:criterion comment="multi-user.target wants sssd" test_ref="oval:ssg-test_multi_user_wants_sssd:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_sysstat_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service sysstat Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The sysstat service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_sysstat_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package sysstat removed or service sysstat is not configured to start" operator="OR">
<ns3:extend_definition comment="sysstat removed" definition_ref="oval:ssg-package_sysstat_removed:def:1" />
<ns3:criteria comment="service sysstat is not configured to start" operator="OR">
<ns3:criterion comment="sysstat not wanted by multi-user.target" test_ref="oval:ssg-test_sysstat_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_telnet_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service telnet Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The telnet service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="20150924" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="galford" />
<ns3:reference ref_id="service_telnet_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package telnet-server removed or socket telnet is not configured to start" operator="OR">
<ns3:extend_definition comment="telnet-server removed" definition_ref="oval:ssg-package_telnet-server_removed:def:1" />
<ns3:criteria comment="socket telnet is not configured to start" operator="AND">
<ns3:criterion comment="telnet not wanted by multi-user.target" test_ref="oval:ssg-test_telnet_not_wanted_by_multi_user_target:tst:1" />
<ns3:criterion comment="Disable telnet xinetd" test_ref="oval:ssg-test_xinetd_telnetd_disabled:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_tftp_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service tftp Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The tftp service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_tftp_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package tftp-server removed or service tftp is not configured to start" operator="OR">
<ns3:extend_definition comment="tftp-server removed" definition_ref="oval:ssg-package_tftp-server_removed:def:1" />
<ns3:criteria comment="service tftp is not configured to start" operator="OR">
<ns3:criterion comment="tftp not wanted by multi-user.target" test_ref="oval:ssg-test_tftp_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_vsftpd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service vsftpd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The vsftpd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_vsftpd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package vsftpd removed or service vsftpd is not configured to start" operator="OR">
<ns3:extend_definition comment="vsftpd removed" definition_ref="oval:ssg-package_vsftpd_removed:def:1" />
<ns3:criteria comment="service vsftpd is not configured to start" operator="OR">
<ns3:criterion comment="vsftpd not wanted by multi-user.target" test_ref="oval:ssg-test_vsftpd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_xinetd_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service xinetd Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The xinetd service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_xinetd_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package xinetd removed or service xinetd is not configured to start" operator="OR">
<ns3:extend_definition comment="xinetd removed" definition_ref="oval:ssg-package_xinetd_removed:def:1" />
<ns3:criteria comment="service xinetd is not configured to start" operator="OR">
<ns3:criterion comment="xinetd not wanted by multi-user.target" test_ref="oval:ssg-test_xinetd_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_ypbind_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service ypbind Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The ypbind service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_ypbind_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package ypbind removed or service ypbind is not configured to start" operator="OR">
<ns3:extend_definition comment="ypbind removed" definition_ref="oval:ssg-package_ypbind_removed:def:1" />
<ns3:criteria comment="service ypbind is not configured to start" operator="OR">
<ns3:criterion comment="ypbind not wanted by multi-user.target" test_ref="oval:ssg-test_ypbind_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-service_zebra_disabled:def:1" version="1">
<ns3:metadata>
<ns3:title>Service zebra Disabled</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>The zebra service should be disabled if possible.</ns3:description>
<ns3:reference ref_id="RHEL7_20150605" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="service_zebra_disabled" source="ssg" /></ns3:metadata>
<ns3:criteria comment="package quagga removed or service zebra is not configured to start" operator="OR">
<ns3:extend_definition comment="quagga removed" definition_ref="oval:ssg-package_quagga_removed:def:1" />
<ns3:criteria comment="service zebra is not configured to start" operator="OR">
<ns3:criterion comment="zebra not wanted by multi-user.target" test_ref="oval:ssg-test_zebra_not_wanted_by_multi_user_target:tst:1" />
</ns3:criteria>
</ns3:criteria>
</ns3:definition>
<ns3:definition class="compliance" id="oval:ssg-smartcard_auth:def:1" version="2">
<ns3:metadata>
<ns3:title>Enable Smart Card Login</ns3:title>
<ns3:affected family="unix">
<ns3:platform>Red Hat Enterprise Linux 7</ns3:platform>
</ns3:affected>
<ns3:description>Enable Smart Card logins</ns3:description>
<ns3:reference ref_id="RHEL7_20151130" ref_url="https://github.com/OpenSCAP/scap-security-guide/wiki/Contributors" source="JL" />
<ns3:reference ref_id="smartcard_auth" source="ssg" /></ns3:metadata>
<ns3:criteria comment="smart card authentication is configured" operator="AND">
<ns3:extend_definition comment="pam_pkcs11 package is installed" definition_ref="oval:ssg-package_pam_pkcs11_installed:def:1" />
<ns3:extend_definition comment="esc package is installed" definition_ref="oval:ssg-package_esc_installed:def:1" />
<ns3:extend_definition comment="pcscd service is enabled" definition_ref="oval:ssg-pcscd_activation_socket_enabled:def:1" />
<ns3:criterion comment="cert_policy directive contains oscp_on" test_ref="oval:ssg-test_pam_pkcs11_cert_policy_ocsp_on:tst:1" />
<ns3:criteria comment="smart card authentication is enabled or required in system-auth" operator="OR">
<ns3:criterion comment="smart card authentication is enabled in /etc/pam.d/system-auth" test_ref="oval:ssg-test_smart_card_enabled_system_auth:tst:1" />
<ns3:criterion comment="smart card is required in /etc/pam.d/system-auth" test_ref="oval:ssg-test_smart_card_required_system_auth:tst:1" />
</ns3:criteria>
<ns3:criterion comment="smart card is required in /etc/pam.d/smartcard-auth" test_ref="oval:ssg-test_smart_card_required_smartcard_auth:tst:1" />
</ns3:criteria>
</ns3:definition>
</ns3:definitions>
<ns3:tests>
<ns6:textfilecontent54_test check="all" comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd" id="oval:ssg-test_etc_default_useradd_inactive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_default_useradd_inactive:obj:1" />
<ns6:state state_ref="oval:ssg-state_etc_default_useradd_inactive:ste:1" />
<ns6:state state_ref="oval:ssg-state_etc_default_useradd_inactive_nonnegative:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="There should not exist duplicate user name entries in /etc/passwd" id="oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_count_of_all_usernames_from_etc_passwd:obj:1" />
<ns6:state state_ref="oval:ssg-state_etc_passwd_no_duplicate_user_names:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" comment="the value maxlogins should be set appropriately in /etc/security/limits.conf" id="oval:ssg-test_maxlogins:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1" />
<ns6:state state_ref="oval:ssg-state_maxlogins:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" id="oval:ssg-test_pass_max_days:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_pass_max_days_instance_value:obj:1" />
<ns6:state state_ref="oval:ssg-state_last_pass_max_days_instance_value:ste:1" />
</ns6:variable_test>
<ns6:variable_test check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" id="oval:ssg-test_pass_min_days:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_pass_min_days_instance_value:obj:1" />
<ns6:state state_ref="oval:ssg-state_last_pass_min_days_instance_value:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg-test_accounts_no_uid_except_root:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_no_uid_except_root:obj:1" />
</ns6:textfilecontent54_test>
<ns7:password_test check="all" comment="password hashes are shadowed" id="oval:ssg-test_accounts_password_all_shadowed:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_accounts_password_all_shadowed:obj:1" />
<ns7:state state_ref="oval:ssg-state_accounts_password_all_shadowed:ste:1" />
</ns7:password_test>
<ns6:variable_test check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" id="oval:ssg-test_pass_min_len:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_pass_min_len_instance_value:obj:1" />
<ns6:state state_ref="oval:ssg-state_last_pass_min_len_instance_value:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_dcredit:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_dcredit:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_dcredit:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_difok:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_difok:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_difok:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_lcredit:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_lcredit:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_lcredit:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_maxclassrepeat:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_maxclassrepeat:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_maxclassrepeat:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_maxrepeat:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_maxrepeat:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_maxrepeat:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_minclass:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_minclass:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_minclass:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_minlen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_minlen:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_minlen:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_ocredit:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_ocredit:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_ocredit:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_password_pam_pwquality:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_password_pam_cracklib_retry:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_cracklib_retry:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_retry:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_password_pam_pwquality_retry:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_retry:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_retry:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="check the configuration of /etc/security/pwquality.conf" id="oval:ssg-test_password_pam_pwquality_ucredit:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_password_pam_pwquality_ucredit:obj:1" />
<ns6:state state_ref="oval:ssg-state_password_pam_pwquality_ucredit:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Test if remember attribute of pam_unix.so is set correctly in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_password_pam_unix_remember:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_password_pam_unix_remember:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_password_pam_unix_remember:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Test if remember attribute of pam_pwhistory.so is set correctly in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_password_pam_pwhistory_remember:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_password_pam_pwhistory_remember:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_password_pam_unix_remember:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" id="oval:ssg-test_pass_warn_age:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_pass_warn_age_instance_value:obj:1" />
<ns6:state state_ref="oval:ssg-state_last_pass_warn_age_instance_value:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_system-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" id="oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_system-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_account_phase_system-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_account_phase_system-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_preauth_silent_password-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_preauth_silent_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" id="oval:ssg-test_accounts_passwords_pam_faillock_authfail_deny_password-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_authfail_deny_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_var_accounts_passwords_pam_faillock_deny_value:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if pam_faillock_so is called in account phase of /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_account_phase_password-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_account_phase_password-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum preauth fail_interval allowed in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_system-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_system-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum authfail fail_interval allowed in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_authfail_fail_interval_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_system-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum authfail fail_interval allowed in /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_fail_interval_password-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_fail_interval_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_password-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check maximum preauth fail_interval allowed in /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_preauth_fail_interval_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_fail_interval_password-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check preauth maximum failed login attempts allowed in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_system-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_system-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check authfail maximum failed login attempts allowed in /etc/pam.d/system-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_authfail_unlock_time_system-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_system-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check authfail maximum failed login attempts allowed in /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_unlock_time_password-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_unlock_time_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_password-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check preauth maximum failed login attempts allowed in /etc/pam.d/password-auth" id="oval:ssg-test_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_accounts_passwords_pam_faillock_preauth_unlock_time_password-auth:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_passwords_pam_faillock_unlock_time_password-auth:ste:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="TMOUT in /etc/profile" id="oval:ssg-test_etc_profile_tmout:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_profile_tmout:obj:1" />
<ns6:state state_ref="oval:ssg-state_etc_profile_tmout:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="TMOUT in /etc/profile.d/*.sh" id="oval:ssg-test_etc_profiled_tmout:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_profiled_tmout:obj:1" />
<ns6:state state_ref="oval:ssg-state_etc_profile_tmout:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" comment="Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement" id="oval:ssg-tst_accounts_umask_etc_bashrc:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_accounts_umask_etc_bashrc:obj:1" />
<ns6:state state_ref="oval:ssg-ste_accounts_umask_etc_bashrc:ste:1" />
</ns6:variable_test>
<ns6:variable_test check="all" comment="Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement" id="oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_accounts_umask_etc_csh_cshrc:obj:1" />
<ns6:state state_ref="oval:ssg-ste_accounts_umask_etc_csh_cshrc:ste:1" />
</ns6:variable_test>
<ns6:variable_test check="all" comment="Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement" id="oval:ssg-tst_accounts_umask_etc_login_defs:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_accounts_umask_etc_login_defs:obj:1" />
<ns6:state state_ref="oval:ssg-ste_accounts_umask_etc_login_defs:ste:1" />
</ns6:variable_test>
<ns6:variable_test check="all" comment="Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement" id="oval:ssg-tst_accounts_umask_etc_profile:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_accounts_umask_etc_profile:obj:1" />
<ns6:state state_ref="oval:ssg-ste_accounts_umask_etc_profile:ste:1" />
</ns6:variable_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing existence of aide database file" id="oval:ssg-test_aide_build_database_absolute_path:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_aide_build_database_absolute_path:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="oval:ssg-test_aide_periodic_cron_checking:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_aide_periodic_cron_checking:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="oval:ssg-test_aide_crond_checking:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_aide_crond_checking:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="run aide daily with cron" id="oval:ssg-test_aide_var_cron_checking:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_aide_var_cron_checking:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_chmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_chmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit chmod" id="oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit chmod" id="oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_chmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_chmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit chmod" id="oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit chmod" id="oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_chown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_chown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit chown" id="oval:ssg-test_32bit_ardm_chown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_chown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit chown" id="oval:ssg-test_64bit_ardm_chown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_chown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_chown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_chown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit chown" id="oval:ssg-test_32bit_ardm_chown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_chown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit chown" id="oval:ssg-test_64bit_ardm_chown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_chown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fchmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchmod" id="oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchmod" id="oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fchmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchmod" id="oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchmod" id="oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fchmodat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchmodat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchmodat" id="oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchmodat" id="oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fchmodat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchmodat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchmodat" id="oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchmodat" id="oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchown" id="oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchown" id="oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchown" id="oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchown" id="oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fchownat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchownat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchownat" id="oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchownat" id="oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fchownat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fchownat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchownat" id="oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchownat" id="oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fremovexattr" id="oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fremovexattr" id="oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fremovexattr" id="oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fremovexattr" id="oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_fsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit fsetxattr" id="oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit fsetxattr" id="oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_fsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_fsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit fsetxattr" id="oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit fsetxattr" id="oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_lchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit lchown" id="oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit lchown" id="oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_lchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit lchown" id="oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit lchown" id="oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_lremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit lremovexattr" id="oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit lremovexattr" id="oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_lremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit lremovexattr" id="oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit lremovexattr" id="oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_lsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit lsetxattr" id="oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit lsetxattr" id="oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_lsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_lsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit lsetxattr" id="oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctls 64-bit lsetxattr" id="oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_removexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_removexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit removexattr" id="oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit removexattr" id="oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_removexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_removexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit removexattr" id="oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit removexattr" id="oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ardm_setxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_setxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit setxattr" id="oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit setxattr" id="oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ardm_setxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ardm_setxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit setxattr" id="oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit setxattr" id="oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_file_deletion_events_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_file_deletion_events_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules file delete" id="oval:ssg-test_audit_rules_file_deletion_events_file_delete_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_file_deletion_events_file_delete_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_file_deletion_events_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_file_deletion_events_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl file delete" id="oval:ssg-test_audit_rules_file_deletion_events_file_delete_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_file_deletion_events_file_delete_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_ari_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ari_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules configuration locked" id="oval:ssg-test_ari_locked_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ari_locked_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_ari_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ari_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl configuration locked" id="oval:ssg-test_ari_locked_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_ari_locked_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rule_kernel_module_loading_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules insmod" id="oval:ssg-test_audit_rule_kernel_module_loading_insmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_insmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules rmmod" id="oval:ssg-test_audit_rule_kernel_module_loading_rmmod_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_rmmod_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules modprobe" id="oval:ssg-test_audit_rule_kernel_module_loading_modprobe_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_modprobe_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules module syscalls" id="oval:ssg-test_audit_rule_kernel_module_loading_syscall_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_syscall_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rule_kernel_module_loading_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl insmod" id="oval:ssg-test_audit_rule_kernel_module_loading_insmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_insmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl rmmod" id="oval:ssg-test_audit_rule_kernel_module_loading_rmmod_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_rmmod_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl modprobe" id="oval:ssg-test_audit_rule_kernel_module_loading_modprobe_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_modprobe_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl module syscalls" id="oval:ssg-test_audit_rule_kernel_module_loading_syscall_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rule_kernel_module_loading_syscall_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_arle_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules tallylog" id="oval:ssg-test_arle_tallylog_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_tallylog_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules faillock" id="oval:ssg-test_arle_faillock_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_faillock_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules lastlog" id="oval:ssg-test_arle_lastlog_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_lastlog_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_arle_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl tallylog" id="oval:ssg-test_arle_tallylog_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_tallylog_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl faillock" id="oval:ssg-test_arle_faillock_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_faillock_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl lastlog" id="oval:ssg-test_arle_lastlog_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arle_lastlog_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_armm_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_armm_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit selinux changes augenrules" id="oval:ssg-test_armm_selinux_watch_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_armm_selinux_watch_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_armm_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_armm_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit selinux changes auditctl" id="oval:ssg-test_armm_selinux_watch_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_armm_selinux_watch_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_media_export_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_media_export_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules mount" id="oval:ssg-test_audit_rules_media_export_mount_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_media_export_mount_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_media_export_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_media_export_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl mount" id="oval:ssg-test_audit_rules_media_export_mount_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_media_export_mount_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_arnm_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit network syscalls augenrules" id="oval:ssg-test_arnm_syscall_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_syscall_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/issue augenrules" id="oval:ssg-test_arnm_etc_issue_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_issue_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/issue.net augenrules" id="oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/hosts augenrules" id="oval:ssg-test_arnm_etc_hosts_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_hosts_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network augenrules" id="oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_arnm_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit network syscalls auditctl" id="oval:ssg-test_arnm_syscall_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_syscall_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/issue auditctl" id="oval:ssg-test_arnm_etc_issue_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_issue_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/issue.net auditctl" id="oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/hosts auditctl" id="oval:ssg-test_arnm_etc_hosts_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_hosts_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network auditctl" id="oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_arpc_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arpc_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="audit augenrules suid sgid" id="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arpc_suid_sgid_augenrules:obj:1" />
<ns6:state state_ref="oval:ssg-state_audit_rules_privileged_commands:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="audit augenrules binaries count matches rules count" id="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_count_of_suid_sgid_binaries_on_system:obj:1" />
<ns6:state state_ref="oval:ssg-state_count_of_privileged_commands_having_audit_definition_augenrules:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_arpc_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arpc_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="audit auditctl suid sgid" id="oval:ssg-test_arpc_suid_sgid_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arpc_suid_sgid_auditctl:obj:1" />
<ns6:state state_ref="oval:ssg-state_audit_rules_privileged_commands:ste:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="audit auditctl binaries count matches rules count" id="oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_count_of_suid_sgid_binaries_on_system:obj:1" />
<ns6:state state_ref="oval:ssg-state_count_of_privileged_commands_having_audit_definition_auditctl:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_arse_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules utmp" id="oval:ssg-test_arse_utmp_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_utmp_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules btmp" id="oval:ssg-test_arse_btmp_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_btmp_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules wtmp" id="oval:ssg-test_arse_wtmp_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_wtmp_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_arse_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl utmp" id="oval:ssg-test_arse_utmp_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_utmp_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl btmp" id="oval:ssg-test_arse_btmp_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_btmp_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl wtmp" id="oval:ssg-test_arse_wtmp_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arse_wtmp_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_sysadmin_actions_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_sysadmin_actions_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_art_adjtimex_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_adjtimex_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit adjtimex" id="oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit adjtimex" id="oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_art_adjtimex_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_adjtimex_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit adjtimex" id="oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit adjtimex" id="oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_art_clock_settime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_clock_settime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit clock_settime" id="oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit clock_settime" id="oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_art_clock_settime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_clock_settime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit clock_settime" id="oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit clock_settime" id="oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_art_settimeofday_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_settimeofday_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit settimeofday" id="oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit settimeofday" id="oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_art_settimeofday_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_settimeofday_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit settimeofday" id="oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit settimeofday" id="oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_art_stime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_stime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit stime" id="oval:ssg-test_32bit_art_stime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_stime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_art_stime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_art_stime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit stime" id="oval:ssg-test_32bit_art_stime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_art_stime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_artw_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_artw_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/localtime watch augenrules" id="oval:ssg-test_artw_etc_localtime_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_artw_etc_localtime_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_artw_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_artw_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/localtime watch auditctl" id="oval:ssg-test_artw_etc_localtime_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_artw_etc_localtime_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_arufm_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arufm_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eaccess" id="oval:ssg-test_32bit_arufm_eaccess_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_arufm_eaccess_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_arufm_eperm_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eaccess" id="oval:ssg-test_64bit_arufm_eaccess_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_arufm_eaccess_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_arufm_eperm_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_arufm_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_arufm_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eaccess" id="oval:ssg-test_32bit_arufm_eaccess_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_arufm_eaccess_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_32bit_arufm_eperm_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eaccess" id="oval:ssg-test_64bit_arufm_eaccess_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_arufm_eaccess_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_64bit_arufm_eperm_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_usergroup_modification_augenrules:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_augenrules:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules /etc/group" id="oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_group_augen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules /etc/passwd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_augen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules /etc/gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_augen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules /etc/shadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_augen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit augenrules /etc/security/opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_augen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_usergroup_modification_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/group" id="oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_group_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/passwd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/shadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audit /etc/security/opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="audispd syslog plugin activated" id="oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="email account for actions" id="oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_action_mail_acct:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_action_mail_acct:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="space left action" id="oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_admin_space_left_action:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_admin_space_left_action:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="test the value of flush parameter in /etc/audit/auditd.conf" id="oval:ssg-test_auditd_data_retention_flush:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_flush:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_flush:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="max log file size" id="oval:ssg-test_auditd_data_retention_max_log_file:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file_action:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file_action:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_num_logs:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_num_logs:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_num_logs:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="space left action" id="oval:ssg-test_auditd_data_retention_space_left_action:tst:1" version="2">
<ns6:object object_ref="oval:ssg-object_auditd_data_retention_space_left_action:obj:1" />
<ns6:state state_ref="oval:ssg-state_auditd_data_retention_space_left_action:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="correct banner in /etc/issue" id="oval:ssg-test_banner_etc_issue:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_banner_etc_issue:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" id="oval:ssg-test_bootloader_audit_argument:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_audit_argument:obj:1" />
<ns6:state state_ref="oval:ssg-state_bootloader_audit_argument:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for audit=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" id="oval:ssg-test_bootloader_audit_argument_default:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_audit_argument_default:obj:1" />
<ns6:state state_ref="oval:ssg-state_bootloader_audit_argument:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub" id="oval:ssg-test_bootloader_recovery_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_disable_recovery_argument:obj:1" />
<ns6:state state_ref="oval:ssg-state_bootloader_disable_recovery_argument:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check for 'nousb' argument in /etc/default/grub" id="oval:ssg-test_bootloader_nousb_argument:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_nousb_argument:obj:1" />
<ns6:state state_ref="oval:ssg-state_bootloader_nousb_argument:ste:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="/boot/grub2/grub.cfg does not exist" id="oval:ssg-test_bootloader_grub_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_bootloader_grub_cfg:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /etc/grub2.cfg files. Superuser is not root, admin, or administrator" id="oval:ssg-test_bootloader_superuser:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_superuser:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /etc/grub2.cfg" id="oval:ssg-test_bootloader_password:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_password:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="/boot/efi/EFI/redhat/grub.cfg does not exist" id="oval:ssg-test_bootloader_uefi_grub_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_bootloader_uefi_grub_cfg:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser is defined in /boot/efi/EFI/redhat/grub.cfg. Superuser is not root, admin, or administrator" id="oval:ssg-test_bootloader_uefi_superuser:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_uefi_superuser:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/efi/EFI/redhat/grub.cfg" id="oval:ssg-test_bootloader_uefi_password:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_bootloader_uefi_password:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable Browsing" id="oval:ssg-test_cups_disable_browsing_browsing_off:tst:1" version="2">
<ns6:object object_ref="oval:ssg-obj_cups_disable_browsing_browsing_off:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Do not allow incoming printer information packets" id="oval:ssg-test_cups_disable_browsing_browseallow:tst:1" version="2">
<ns6:object object_ref="oval:ssg-obj_cups_disable_browsing_browseallow:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Disable the more general port directive" id="oval:ssg-test_cups_disable_printserver_disable_port:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_cups_disable_printserver_disable_port:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Listen only at the localhost level" id="oval:ssg-test_cups_disable_printserver_use_listen:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_cups_disable_printserver_use_listen:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner is enabled" id="oval:ssg-test_banner_gui_enabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_banner_gui_enabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg-test_prevent_user_banner_gui_enabled_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_banner_gui_enabled_change:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount in GNOME3" id="oval:ssg-test_dconf_gnome_disable_automount:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dconf_gnome_disable_automount:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount setting" id="oval:ssg-test_prevent_user_gnome_automount:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_gnome_automount:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable automount-open in GNOME" id="oval:ssg-test_dconf_gnome_disable_automount_open:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dconf_gnome_disable_automount_open:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing automount-open setting" id="oval:ssg-test_prevent_user_gnome_automount_open:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_gnome_automount_open:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable autorun in GNOME" id="oval:ssg-test_dconf_gnome_disable_autorun:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dconf_gnome_disable_autorun:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent user from changing autorun setting" id="oval:ssg-test_prevent_user_gnome_autorun:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_gnome_autorun:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable Ctrl-Alt-Del" id="oval:ssg-test_disable_gnome_ctrlaltdel:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_gnome_ctrlaltdel:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of ctrl-alt-del keys" id="oval:ssg-test_prevent_user_enable_ctrlaltdel:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_enable_ctrlaltdel:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable system geolocation" id="oval:ssg-test_disable_sys_geolocation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_sys_geolocation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of system geolocation" id="oval:ssg-test_prevent_user_sys_geolocation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_sys_geolocation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable clock geolocation" id="oval:ssg-test_disable_clock_geolocation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_clock_geolocation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of clock geolocation" id="oval:ssg-test_prevent_user_clock_geolocation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_clock_geolocation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable power settings" id="oval:ssg-test_disable_gnome_power_setting:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_gnome_power_setting:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of power settings" id="oval:ssg-test_prevent_user_power_setting_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_power_setting_change:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI restart and shutdown buttons are disabled" id="oval:ssg-test_disable_restart_buttons:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_restart_buttons:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI restart and shutdown buttons cannot be enabled" id="oval:ssg-test_prevent_user_enable_restart_buttons:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_enable_restart_buttons:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable thumbnailers in GNOME3" id="oval:ssg-test_gnome_disable_thumbnailers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_gnome_disable_thumbnailers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot enable thumbnailers " id="oval:ssg-test_prevent_user_change_gnome_thumbnailers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_change_gnome_thumbnailers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable user administration" id="oval:ssg-test_disable_gnome_user_admin:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_gnome_user_admin:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of user administration" id="oval:ssg-test_prevent_user_enable_admin:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_enable_admin:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI user list is disabled" id="oval:ssg-test_disable_user_list:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_user_list:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI user list cannot be enabled" id="oval:ssg-test_prevent_user_disable_user_list:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_disable_user_list:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable wifi creation" id="oval:ssg-test_disable_wifi_creation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_wifi_creation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of wifi creation capability" id="oval:ssg-test_prevent_user_enable_wifi_creation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_enable_wifi_creation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable wifi notification" id="oval:ssg-test_disable_wifi_notification:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_wifi_notification:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Prevent enabling of wifi notification capability" id="oval:ssg-test_prevent_user_enable_wifi_notification:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_enable_wifi_notification:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Enable GUI Login Smartcard authentication" id="oval:ssg-test_enable_gnome_smartcard:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_enable_gnome_smartcard:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI smartcard authentication cannot be disabled" id="oval:ssg-test_prevent_user_disable_smartcard:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_disable_smartcard:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="GUI banner cannot be changed by user" id="oval:ssg-test_prevent_user_banner_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_banner_change:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="login banner text is correctly set" id="oval:ssg-test_gdm_login_banner_text_setting:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_gdm_login_banner_text_setting:obj:1" />
<ns6:state state_ref="oval:ssg-state_gdm_login_banner_text_setting:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Set number of login tries" id="oval:ssg-test_configure_allowed_failures:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_configure_allowed_failures:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="number of login attempts cannot be changed" id="oval:ssg-test_prevent_user_allowed-failures_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_allowed-failures_change:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="configure remote access credentials" id="oval:ssg-test_configure_remote_access_creds:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_configure_remote_access_creds:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="prevent user from disabling remote access credential requirements" id="oval:ssg-test_prevent_user_remote_access_creds:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_remote_access_creds:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="configure remote access encryption" id="oval:ssg-test_configure_remote_access_encryption:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_configure_remote_access_encryption:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="prevent user from disabling remote access encryption" id="oval:ssg-test_prevent_user_remote_access_encryption:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_remote_access_encryption:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="idle delay is configured" id="oval:ssg-test_screensaver_idle_activation_enabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_idle_activation_enabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change idle_activation_enabled" id="oval:ssg-test_prevent_user_change_idle_activation_enabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_change_idle_activation_enabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay is configured" id="oval:ssg-test_screensaver_idle_delay:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_idle_delay:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="user cannot change screensaver idle delay" id="oval:ssg-test_prevent_user_change_idle_delay:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_change_idle_delay:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver idle delay setting is correct" id="oval:ssg-test_screensaver_idle_delay_setting:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_idle_delay_setting:obj:1" />
<ns6:state state_ref="oval:ssg-state_screensaver_idle_delay_setting:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is enabled" id="oval:ssg-test_screensaver_lock_enabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_lock_enabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock cannot be changed by user" id="oval:ssg-test_prevent_user_screensaver_lock:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_screensaver_lock:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock is set correctly" id="oval:ssg-test_screensaver_lock_delay:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_lock_delay:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver lock delay cannot be changed by user" id="oval:ssg-test_prevent_user_lock_delay:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_lock_delay:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver mode is blank" id="oval:ssg-test_screensaver_mode_blank:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_mode_blank:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="blank screensaver cannot be changed by user" id="oval:ssg-test_prevent_user_screensaver_mode_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_screensaver_mode_change:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver user info is disabled" id="oval:ssg-test_screensaver_disable_user_info:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_screensaver_disable_user_info:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="screensaver prevent user from changing" id="oval:ssg-test_prevent_user_info_change:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_prevent_user_info_change:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing directory permissions" id="oval:ssg-test_dir_perms_etc_httpd_conf:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_dir_perms_etc_httpd_conf:obj:1" />
<ns7:state state_ref="oval:ssg-state_dir_perms_etc_httpd_conf:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing directory permissions" id="oval:ssg-test_dir_perms_var_log_httpd:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_dir_perms_var_log_httpd:obj:1" />
<ns7:state state_ref="oval:ssg-state_dir_perms_var_log_httpd:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="all local world-writable directories have sticky bit set" id="oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_only_local_directories:obj:1" />
<ns7:state state_ref="oval:ssg-state_world_writable_and_not_sticky:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" comment="check for local directories that are world writable and have uid greater than or equal to 1000" id="oval:ssg-test_dir_world_writable_uid_gt_1000:tst:1" version="1">
<ns7:object object_ref="oval:ssg-all_local_directories:obj:1" />
<ns7:state state_ref="oval:ssg-state_gid_is_user_and_world_writable:ste:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="sshd HostbasedAuthentication" id="oval:ssg-test_sshd_hostbasedauthentication:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_sshd_hostbasedauthentication:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX" id="oval:ssg-test_disable_interactive_boot_grub_cmdline_linux:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_disable_interactive_boot_grub_cmdline_linux:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT" id="oval:ssg-test_disable_interactive_boot_grub_cmdline_linux_default:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_disable_interactive_boot_grub_cmdline_linux_default:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg-test_prelinking_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_prelinking_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" id="oval:ssg-test_core_dumps_limitsconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_core_dumps_limitsconf:obj:1" />
<ns6:state state_ref="oval:ssg-state_core_dumps_limitsconf:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="Check the pam_lastlog configuration of /etc/pam.d/postlogin" id="oval:ssg-test_display_login_attempts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_display_login_attempts:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="dconf user profile exists" id="oval:ssg-test_dconf_user_profile:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dconf_user_profile:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" id="oval:ssg-test_selinux_default_grub:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_selinux_default_grub:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" id="oval:ssg-test_selinux_grub2_cfg:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_selinux_grub2_cfg:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/grub.d fail if found" id="oval:ssg-test_selinux_grub_dir:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_selinux_grub_dir:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/yum.conf" id="oval:ssg-test_yum_ensure_gpgcheck_globally_activated:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_yum_ensure_gpgcheck_globally_activated:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of gpgcheck in /etc/dnf/dnf.conf" id="oval:ssg-test_dnf_ensure_gpgcheck_globally_activated:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_dnf_ensure_gpgcheck_globally_activated:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of gpgcheck=0 in /etc/yum.repos.d/ files" id="oval:ssg-test_ensure_gpgcheck_never_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ensure_gpgcheck_never_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of daily setting in /etc/logrotate.conf file" id="oval:ssg-test_logrotate_conf_daily_setting:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_logrotate_conf_daily_setting:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)" id="oval:ssg-test_cron_daily_logrotate_existence:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_cron_daily_logrotate_existence:obj:1" />
</ns6:textfilecontent54_test>
<ns8:rpminfo_test check="only one" check_existence="at_least_one_exists" comment="Red Hat release key package is installed" id="oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_gpg-pubkey:obj:1" />
<ns8:state state_ref="oval:ssg-state_package_gpg-pubkey-fd431d51-4ae0493b:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="only one" check_existence="at_least_one_exists" comment="Red Hat auxiliary key package is installed" id="oval:ssg-test_package_gpgkey-2fa658e0-45700c69_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_gpg-pubkey:obj:1" />
<ns8:state state_ref="oval:ssg-state_package_gpg-pubkey-2fa658e0-45700c69:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="only one" check_existence="at_least_one_exists" comment="CentOS7 key package is installed" id="oval:ssg-test_package_gpgkey-f4a80eb5-53a7ff4b_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_gpg-pubkey:obj:1" />
<ns8:state state_ref="oval:ssg-state_package_gpg-pubkey-f4a80eb5-53a7ff4b:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="only one" check_existence="at_least_one_exists" comment="CentOS6 key package is installed" id="oval:ssg-test_package_gpgkey-c105b9de-4e0fd3a3_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_gpg-pubkey:obj:1" />
<ns8:state state_ref="oval:ssg-state_package_gpg-pubkey-c105b9de-4e0fd3a3:ste:1" />
</ns8:rpminfo_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg-test_file_group_owner_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_group_owner_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_group_owner_grub2_cfg:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg-test_file_group_owner_efi_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_group_owner_efi_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_group_owner_grub2_cfg:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:ssg-test_file_groupowner_etc_group:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_groupowner_etc_group:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_groupowner_etc_group:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing gshadow ownership" id="oval:ssg-test_file_groupowner_etc_gshadow:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_groupowner_etc_gshadow:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_groupowner_etc_gshadow:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing group ownership of /etc/passwd" id="oval:ssg-test_file_groupowner_etc_passwd:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_groupowner_etc_passwd:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_groupowner_etc_passwd:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:ssg-test_file_owner_etc_group:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_owner_etc_group:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_owner_etc_group:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing gshadow ownership" id="oval:ssg-test_file_owner_etc_gshadow:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_owner_etc_gshadow:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_owner_etc_gshadow:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:ssg-test_file_owner_etc_passwd:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_owner_etc_passwd:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_owner_etc_passwd:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg-test_ownership_binary_directories:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_ownership_binary_directories:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg-test_ownership_binary_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_ownership_binary_files:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="library directories uid root" id="oval:ssg-test_ownership_lib_dir:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_ownership_lib_dir:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="library files uid root" id="oval:ssg-test_ownership_lib_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_ownership_lib_files:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="log_group = root" id="oval:ssg-test_auditd_conf_log_group_root:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_auditd_conf_log_group_root:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="/var/log/audit directories uid root gid root" id="oval:ssg-test_ownership_var_log_audit_directories:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_ownership_var_log_audit_directories:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="/var/log/audit files uid root gid root" id="oval:ssg-test_ownership_var_log_audit_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_ownership_var_log_audit_files:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/var/log/audit directories uid root gid root" id="oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_ownership_var_log_audit_directories-non_root:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/var/log/audit files uid root gid root" id="oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_ownership_var_log_audit_files-non_root:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg-test_perms_binary_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_binary_files:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing /etc/group permissions" id="oval:ssg-test_file_permissions_etc_group:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_etc_group:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_permissions_etc_group:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/etc/gshadow mode and ownership" id="oval:ssg-test_etc_gshadow:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_etc_gshadow:obj:1" />
<ns7:state state_ref="oval:ssg-_etc_gshadow_state_uid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_gshadow_state_gid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_gshadow_state_mode_0000:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/etc/passwd mode and ownership" id="oval:ssg-test_etc_passwd:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_etc_passwd:obj:1" />
<ns7:state state_ref="oval:ssg-_etc_passwd_state_uid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_passwd_state_gid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_passwd_state_mode_0644_or_stronger:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/etc/shadow mode and ownership" id="oval:ssg-test_etc_shadow:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_etc_shadow:obj:1" />
<ns7:state state_ref="oval:ssg-_etc_shadow_state_uid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_shadow_state_gid_0:ste:1" />
<ns7:state state_ref="oval:ssg-_etc_shadow_state_mode_0000:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg-test_file_permissions_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_permissions_grub2_cfg:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg-test_file_permissions_efi_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_efi_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_permissions_grub2_cfg:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="home directories" id="oval:ssg-test_file_permissions_home_dirs:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_home_dirs:obj:1" />
<ns7:state state_ref="oval:ssg-state_home_dirs_wrong_perm:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/etc/httpd/conf/* permissions" id="oval:ssg-test_file_permissions_httpd_server_conf_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_httpd_server_conf_files:obj:1" />
<ns7:state state_ref="oval:ssg-state_wrong_file_permissions_httpd_server_conf_files:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="library directories go-w" id="oval:ssg-test_perms_lib_dir:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_lib_dir:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="library files go-w" id="oval:ssg-test_perms_lib_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_lib_files:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="world writable files" id="oval:ssg-test_file_permissions_unauthorized_world_write:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_unauthorized_world_write:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="files with no group owner" id="oval:ssg-test_file_permissions_ungroupowned:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_ungroupowned:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0640" id="oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_var_log_audit_files-non_root:obj:1" />
<ns7:state state_ref="oval:ssg-state_not_mode_0640:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0600" id="oval:ssg-test_file_permissions_var_log_audit:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_var_log_audit_files:obj:1" />
<ns7:state state_ref="oval:ssg-state_not_mode_0600:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/boot/grub2/grub.cfg owned by root" id="oval:ssg-test_file_user_owner_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_user_owner_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_user_owner_grub2_cfg:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="/boot/efi/EFI/redhat/grub.cfg owned by root" id="oval:ssg-test_file_user_owner_efi_grub2_cfg:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_user_owner_efi_grub2_cfg:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_user_owner_grub2_cfg:ste:1" />
</ns7:file_test>
<ns6:xmlfilecontent_test check="all" check_existence="none_exist" comment="ssh service is not enabled in services" id="oval:ssg-test_firewalld_service_sshd:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_firewalld_service_sshd:obj:1" />
</ns6:xmlfilecontent_test>
<ns6:xmlfilecontent_test check="all" check_existence="none_exist" comment="ssh port is not enabled in services" id="oval:ssg-test_firewalld_service_sshd_port:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_firewalld_service_sshd_port:obj:1" />
</ns6:xmlfilecontent_test>
<ns6:xmlfilecontent_test check="all" check_existence="none_exist" comment="ssh service is not enabled in zones" id="oval:ssg-test_firewalld_zone_sshd:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_firewalld_zone_sshd:obj:1" />
</ns6:xmlfilecontent_test>
<ns6:xmlfilecontent_test check="all" check_existence="none_exist" comment="ssh port is not enabled in zones" id="oval:ssg-test_firewalld_zone_sshd_port:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_firewalld_zone_sshd_port:obj:1" />
</ns6:xmlfilecontent_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg-test_ftp_log_transactions_enable:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_ftp_log_transactions_enable:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg-test_ftp_log_transactions_format:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_ftp_log_transactions_format:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="log ftp transactions" id="oval:ssg-test_ftp_log_transactions_protocol:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_ftp_log_transactions_protocol:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Banner for FTP Users" id="oval:ssg-test_ftp_present_banner:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_test_ftp_present_banner:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Verify all GIDs referenced in /etc/passwd are defined in /etc/group" id="oval:ssg-test_gid_passwd_group_same:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_gid_passwd_group_same:obj:1" />
<ns6:state state_ref="oval:ssg-state_gid_passwd_group_same:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable GDM Automatic Login" id="oval:ssg-test_disable_automatic_login:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_automatic_login:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Disable GDM Guest Login" id="oval:ssg-test_disable_guest_login:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_disable_guest_login:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing group ownership /etc/shadow" id="oval:ssg-test_groupowner_etc_shadow:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_groupowner_shadow_file:obj:1" />
<ns7:state state_ref="oval:ssg-state_groupowner_shadow_file:ste:1" />
</ns7:file_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="AntiVirus package is installed" id="oval:ssg-test_linuxshield_install_antivirus:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_linuxshield_install_antivirus:obj:1" />
</ns8:rpminfo_test>
<ns6:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_unix_family:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_unix_family:obj:1" />
<ns6:state state_ref="oval:ssg-state_unix_family:ste:1" />
</ns6:family_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 6" id="oval:ssg-test_centos6:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_centos6:obj:1" />
<ns8:state state_ref="oval:ssg-state_centos6:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 7" id="oval:ssg-test_centos7:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_centos7:obj:1" />
<ns8:state state_ref="oval:ssg-state_centos7:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="only_one_exists" comment="fedora-release RPM package is installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1" />
</ns8:rpminfo_test>
<ns6:textfilecontent54_test check="all" comment="CPE vendor is 'fedoraproject' and 'product' is fedora" id="oval:ssg-test_fedora_vendor_product:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_fedora_vendor_product:obj:1" />
</ns6:textfilecontent54_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 6" id="oval:ssg-test_rhel_workstation:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel_workstation:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel_workstation:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 6" id="oval:ssg-test_rhel_server:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel_server:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel_server:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 6" id="oval:ssg-test_rhel_computenode:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel_computenode:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel_computenode:ste:1" />
</ns8:rpminfo_test>
<ns6:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel7_unix_family:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_rhel7_unix_family:obj:1" />
<ns6:state state_ref="oval:ssg-state_rhel7_unix_family:ste:1" />
</ns6:family_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg-test_rhel7_workstation:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel7_workstation:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel7_workstation:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg-test_rhel7_server:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel7_server:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel7_server:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 7" id="oval:ssg-test_rhel7_computenode:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_rhel7_computenode:obj:1" />
<ns8:state state_ref="oval:ssg-state_rhel7_computenode:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 6" id="oval:ssg-test_sl6:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_sl6:obj:1" />
<ns8:state state_ref="oval:ssg-state_sl6:ste:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 7" id="oval:ssg-test_sl7:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_sl7:obj:1" />
<ns8:state state_ref="oval:ssg-state_sl7:ste:1" />
</ns8:rpminfo_test>
<ns6:textfilecontent54_test check="all" comment="kernel module dccp disabled" id="oval:ssg-test_kernmod_dccp_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_dccp_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module dccp disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_dccp_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_dccp_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module dccp disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_dccp_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_dccp_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module dccp disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_dccp_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_dccp_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module dccp disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_dccp_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_dccp_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module usb-storage disabled" id="oval:ssg-test_kernmod_usb-storage_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_usb-storage_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module usb-storage disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module usb-storage disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_usb-storage_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_usb-storage_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module usb-storage disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_usb-storage_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_usb-storage_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module usb-storage disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_usb-storage_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_usb-storage_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Tests the value of the ssl start_tls setting in the /etc/nslcd.conf file" id="oval:ssg-test_ldap_client_start_tls_ssl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ldap_client_start_tls_ssl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Tests the value of the tls_cacertdir setting in the /etc/nslcd.conf file" id="oval:ssg-test_ldap_client_tls_cacertdir:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ldap_client_tls_cacertdir:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Tests the value of the tls_cacertfile setting in the /etc/nslcd.conf file" id="oval:ssg-test_ldap_client_tls_cacertfile:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ldap_client_tls_cacertfile:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Test HostLimit" id="oval:ssg-test_logwatch_configured_hostlimit:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_logwatch_configured_hostlimit:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Test SplitHosts" id="oval:ssg-test_logwatch_configured_splithosts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_logwatch_configured_splithosts:obj:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="nodev on /dev/shm" id="oval:ssg-test_nodev_dev_shm:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_dev_shm_partition_nodev:obj:1" />
<ns8:state state_ref="oval:ssg-state_dev_shm_nodev:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="noexec on /dev/shm" id="oval:ssg-test_noexec_dev_shm:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_dev_shm_partition_noexec:obj:1" />
<ns8:state state_ref="oval:ssg-state_dev_shm_noexec:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="nosuid on /dev/shm" id="oval:ssg-test_nosuid_dev_shm:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_dev_shm_partition_nosuid:obj:1" />
<ns8:state state_ref="oval:ssg-state_dev_shm_nosuid:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="nodev on local filesystems" id="oval:ssg-test_nodev_nonroot_local_partitions:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_non_root_partitions:obj:1" />
<ns8:state state_ref="oval:ssg-state_local_nodev:ste:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has nodev" id="oval:ssg-test_nfs_nodev_etc_fstab:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nfs_nodev_etc_fstab:obj:1" />
<ns6:state state_ref="oval:ssg-state_remote_filesystem_nodev:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="oval:ssg-test_no_nfs_defined_etc_fstab_nodev:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_nfs_defined_etc_fstab_nodev:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="Check if expected removable partitions truly exist on the system" id="oval:ssg-test_removable_partition_doesnt_exist:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_removable_partition_doesnt_exist:obj:1" />
</ns7:file_test>
<ns6:variable_test check="all" comment="Check if removable partition variable value represents CD/DVD drive" id="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_var_removable_partition_is_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_var_removable_partition_is_cd_dvd_drive:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" comment="'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" id="oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_nodev_etc_fstab_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" comment="'nodev' mount option used for at least one CD / DVD drive alternative names in runtime configuration" id="oval:ssg-test_nodev_runtime_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_nodev_runtime_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nodev' mount option in /etc/fstab" id="oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_nodev_etc_fstab_not_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="'nodev' mount option used for removable partition in runtime configuration" id="oval:ssg-test_nodev_runtime_not_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_nodev_runtime_not_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" comment="'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" id="oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_noexec_etc_fstab_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" comment="'noexec' mount option used for at least one CD / DVD drive alternative names in runtime configuration" id="oval:ssg-test_noexec_runtime_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_noexec_runtime_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'noexec' mount option in /etc/fstab" id="oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_noexec_etc_fstab_not_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="'noexec' mount option used for removable partition in runtime configuration" id="oval:ssg-test_noexec_runtime_not_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_noexec_runtime_not_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has nosuid" id="oval:ssg-test_nfs_nosuid_etc_fstab:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nfs_nosuid_etc_fstab:obj:1" />
<ns6:state state_ref="oval:ssg-state_remote_filesystem_nosuid:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="oval:ssg-test_no_nfs_defined_etc_fstab_nosuid:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_nfs_defined_etc_fstab_nosuid:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg-test_no_netrc_files_home:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_netrc_files_home:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" comment="'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" id="oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" comment="'nosuid' mount option used for at least one CD / DVD drive alternative names in runtime configuration" id="oval:ssg-test_nosuid_runtime_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_nosuid_runtime_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nosuid' mount option in /etc/fstab" id="oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1" />
<ns6:state state_ref="oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="'nosuid' mount option used for removable partition in runtime configuration" id="oval:ssg-test_nosuid_runtime_not_cd_dvd_drive:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_nosuid_runtime_not_cd_dvd_drive:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check for no cifs in /etc/fstab" id="oval:ssg-test_20340111:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_20340111:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for sec=krb5i or sec=ntlmv2i in /etc/fstab" id="oval:ssg-test_20340112:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_20340111:obj:1" />
<ns6:state state_ref="oval:ssg-state_20340112:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="check for no cifs in /etc/mtab" id="oval:ssg-test_20340113:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_20340112:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for sec=krb5i or sec=ntlmv2i in /etc/mtab" id="oval:ssg-test_20340114:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_20340112:obj:1" />
<ns6:state state_ref="oval:ssg-state_20340112:ste:1" />
</ns6:textfilecontent54_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="nodev on /tmp" id="oval:ssg-test_nodev_tmp:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_tmp_nodev_partition:obj:1" />
<ns8:state state_ref="oval:ssg-state_tmp_nodev:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="noexec on /tmp" id="oval:ssg-test_noexec_tmp:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_tmp_noexec_partition:obj:1" />
<ns8:state state_ref="oval:ssg-state_tmp_noexec:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="nosuid on /tmp" id="oval:ssg-test_nosuid_tmp:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_tmp_nosuid_partition:obj:1" />
<ns8:state state_ref="oval:ssg-state_tmp_nosuid:ste:1" />
</ns8:partition_test>
<ns8:partition_test check="all" comment="Ensure /var/tmp is mounted" id="oval:ssg-test_mount_option_var_tmp:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_mount_option_var_tmp:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure bind mount option is on /var/tmp" id="oval:ssg-test_mount_option_var_tmp_bind:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_mount_option_var_tmp_bind:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check NOZEROCONF=yes in /etc/sysconfig/network" id="oval:ssg-test_sysconfig_nozeroconf_yes:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sysconfig_nozeroconf_yes:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Define default gateways" id="oval:ssg-test_network_ipv6_default_gateway:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_ipv6_default_gateway:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Test for udp6 based rpc services" id="oval:ssg-test_network_ipv6_disable_rpc_udp6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_ipv6_disable_rpc_udp6:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Test for tcp6 based rpc services" id="oval:ssg-test_network_ipv6_disable_rpc_tcp6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_ipv6_disable_rpc_tcp6:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Enable privacy extensions on each interface" id="oval:ssg-test_network_ipv6_privacy_extensions:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_ipv6_privacy_extensions:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Set static IPv6 address on each interface" id="oval:ssg-test_network_ipv6_static_address:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_ipv6_static_address:obj:1" />
</ns6:textfilecontent54_test>
<ns7:interface_test check="all" check_existence="at_least_one_exists" comment="random" id="oval:ssg-test_promisc_interfaces:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_promisc_interfaces:obj:1" />
<ns7:state state_ref="oval:ssg-state_promisc:ste:1" />
</ns7:interface_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="/etc/securetty file exists" id="oval:ssg-test_etc_securetty_exists:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_securetty_exists:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="no entries in /etc/securetty" id="oval:ssg-test_no_direct_root_logins:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_direct_root_logins:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure nullok is not used in /etc/pam.d/system-auth" id="oval:ssg-test_no_empty_passwords:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_empty_passwords:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="none_exist" comment="Check user ids on all files on the system" id="oval:ssg-no_files_unowned_by_user_test:tst:1" version="1">
<ns7:object object_ref="oval:ssg-file_permissions_unowned_object:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure locks in /etc/exports" id="oval:ssg-test_no_insecure_locks_exports:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_no_insecure_locks_exports:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /root" id="oval:ssg-test_no_rsh_trust_files_root:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_rsh_trust_files_root:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts or .shosts in /home" id="oval:ssg-test_no_rsh_trust_files_home:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_rsh_trust_files_home:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv or /etc/shosts.equiv" id="oval:ssg-test_no_rsh_trust_files_etc:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_rsh_trust_files_etc:obj:1" />
</ns7:file_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="&lt;0, UID_MIN - 1&gt; system UIDs having shell set" id="oval:ssg-test_shell_defined_default_uid_range:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_shell_defined_default_uid_range:obj:1" />
<ns6:state state_ref="oval:ssg-state_shell_defined_default_uid_range:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="SYS_UID_MIN not defined in /etc/login.defs" id="oval:ssg-test_sys_uid_min_not_defined:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="SYS_UID_MAX not defined in /etc/login.defs" id="oval:ssg-test_sys_uid_max_not_defined:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set" id="oval:ssg-test_shell_defined_reserved_uid_range:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_shell_defined_reserved_uid_range:obj:1" />
<ns6:state state_ref="oval:ssg-state_shell_defined_reserved_uid_range:ste:1" />
</ns6:variable_test>
<ns6:variable_test check="all" check_existence="all_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set" id="oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_shell_defined_dynalloc_uid_range:obj:1" />
<ns6:state state_ref="oval:ssg-state_shell_defined_dynalloc_uid_range:ste:1" />
</ns6:variable_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package aide is installed" id="oval:ssg-test_package_aide_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_aide_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package audit is installed" id="oval:ssg-test_package_audit_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_audit_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package bind is removed" id="oval:ssg-test_package_bind_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_bind_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package dconf is installed" id="oval:ssg-test_package_dconf_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_dconf_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package dhcp is removed" id="oval:ssg-test_package_dhcp_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_dhcp_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package dovecot is removed" id="oval:ssg-test_package_dovecot_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_dovecot_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package dracut-fips is installed" id="oval:ssg-test_package_dracut-fips_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_dracut-fips_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package gdm is installed" id="oval:ssg-test_package_gdm_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_gdm_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package httpd is removed" id="oval:ssg-test_package_httpd_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_httpd_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package libreswan is installed" id="oval:ssg-test_package_libreswan_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_libreswan_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package mcstrans is removed" id="oval:ssg-test_package_mcstrans_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_mcstrans_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package net-snmp is removed" id="oval:ssg-test_package_net-snmp_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_net-snmp_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package nss-pam-ldapd is removed" id="oval:ssg-test_package_nss-pam-ldapd_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_nss-pam-ldapd_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package ntp is installed" id="oval:ssg-test_package_ntp_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_ntp_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package openldap-servers is removed" id="oval:ssg-test_package_openldap-servers_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_openldap-servers_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package openssh-server is removed" id="oval:ssg-test_package_openssh-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_openssh-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package prelink is removed" id="oval:ssg-test_package_prelink_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_prelink_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package rsh-server is removed" id="oval:ssg-test_package_rsh-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_rsh-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package rsh is removed" id="oval:ssg-test_package_rsh_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_rsh_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package rsyslog is installed" id="oval:ssg-test_package_rsyslog_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_rsyslog_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package samba-common is removed" id="oval:ssg-test_package_samba-common_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_samba-common_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package screen is installed" id="oval:ssg-test_package_screen_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_screen_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package sendmail is removed" id="oval:ssg-test_package_sendmail_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_sendmail_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package setroubleshoot is removed" id="oval:ssg-test_package_setroubleshoot_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_setroubleshoot_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package squid is removed" id="oval:ssg-test_package_squid_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_squid_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package talk-server is removed" id="oval:ssg-test_package_talk-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_talk-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package talk is removed" id="oval:ssg-test_package_talk_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_talk_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package telnet-server is removed" id="oval:ssg-test_package_telnet-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_telnet-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package telnet is removed" id="oval:ssg-test_package_telnet_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_telnet_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package tftp-server is removed" id="oval:ssg-test_package_tftp-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_tftp-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package tftp is removed" id="oval:ssg-test_package_tftp_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_tftp_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package vsftpd is installed" id="oval:ssg-test_package_vsftpd_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_vsftpd_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package vsftpd is removed" id="oval:ssg-test_package_vsftpd_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_vsftpd_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package xinetd is removed" id="oval:ssg-test_package_xinetd_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_xinetd_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package xorg-x11-server-common is removed" id="oval:ssg-test_package_xorg-x11-server-common_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_xorg-x11-server-common_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package ypbind is removed" id="oval:ssg-test_package_ypbind_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_ypbind_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package ypserv is removed" id="oval:ssg-test_package_ypserv_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_ypserv_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="/home on own partition" id="oval:ssg-test_home_partition:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_mount_home_own_partition:obj:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="/tmp on own partition" id="oval:ssg-test_tmp_partition:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_own_tmp_partition:obj:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="/var on own partition" id="oval:ssg-test_var_partition:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_mount_var_own_partition:obj:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="/var/log on own partition" id="oval:ssg-test_var_log_partition:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_mount_var_log_own_partition:obj:1" />
</ns8:partition_test>
<ns8:partition_test check="all" check_existence="all_exist" comment="check for /var/log/audit partition" id="oval:ssg-test_var_log_audit_partition:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_mount_var_log_audit_own_partition:obj:1" />
</ns8:partition_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Set banner" id="oval:ssg-test_postfix_server_banner:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_postfix_server_banner:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that /sbin/sulogin was not removed from the default systemd rescue.service to ensure that a password must be entered to access single user mode" id="oval:ssg-test_require_rescue_service:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_require_rescue_service:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg-test_require_rescue_service_runlevel1:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_require_rescue_service_runlevel1:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg-test_no_custom_rescue_service:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_custom_rescue_service:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg-test_no_custom_runlevel1_target:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_no_custom_runlevel1_target:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for client signing = mandatory in /etc/samba/smb.conf" id="oval:ssg-test_require_smb_client_signing:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_require_smb_client_signing:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg-test_serial_ports_etc_securetty:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_serial_ports_etc_securetty:obj:1" />
</ns6:textfilecontent54_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with : or ." id="oval:ssg-test_env_var_begins:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_begins_colon_period:ste:1" />
</ns6:environmentvariable58_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH doesn't contain : twice in a row" id="oval:ssg-test_env_var_contains_doublecolon:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_contains_double_colon:ste:1" />
</ns6:environmentvariable58_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH doesn't contain . twice in a row" id="oval:ssg-test_env_var_contains_doubleperiod:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_contains_double_period:ste:1" />
</ns6:environmentvariable58_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH ends with : or ." id="oval:ssg-test_env_var_ends:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_ends_colon_period:ste:1" />
</ns6:environmentvariable58_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with an absolute path /" id="oval:ssg-test_env_var_begins_slash:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_begins_slash:ste:1" />
</ns6:environmentvariable58_test>
<ns6:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains relative paths" id="oval:ssg-test_env_var_contains_relative_path:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_root_path_no_dot:obj:1" />
<ns6:state state_ref="oval:ssg-state_contains_relative_path:ste:1" />
</ns6:environmentvariable58_test>
<ns8:rpmverifyfile_test check="all" check_existence="none_exist" comment="verify file md5 hashes" id="oval:ssg-test_files_fail_md5_hash:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_files_fail_md5_hash:obj:1" />
</ns8:rpmverifyfile_test>
<ns8:rpmverifyfile_test check="all" check_existence="none_exist" comment="user ownership of all files matches local rpm database" id="oval:ssg-test_verify_all_rpms_user_ownership:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_files_fail_user_ownership:obj:1" />
</ns8:rpmverifyfile_test>
<ns8:rpmverifyfile_test check="all" check_existence="none_exist" comment="group ownership of all files matches local rpm database" id="oval:ssg-test_verify_all_rpms_group_ownership:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_files_fail_group_ownership:obj:1" />
</ns8:rpmverifyfile_test>
<ns8:rpmverifyfile_test check="all" check_existence="none_exist" comment="mode of all files matches local rpm database" id="oval:ssg-test_verify_all_rpms_mode:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_files_fail_mode:obj:1" />
</ns8:rpmverifyfile_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Ensure that the /etc/rsyslog.conf does not contain $InputTCPServerRun | $UDPServerRun | $InputRELPServerRun" id="oval:ssg-test_rsyslog_nolisten:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_rsyslog_nolisten:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensures system configured to export logs to remote host" id="oval:ssg-test_remote_rsyslog_conf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_remote_loghost_rsyslog_conf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensures system configured to export logs to remote host" id="oval:ssg-test_remote_rsyslog_d:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_remote_loghost_rsyslog_d:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg-test_virtual_consoles_etc_securetty:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_virtual_consoles_etc_securetty:obj:1" />
</ns6:textfilecontent54_test>
<ns8:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="oval:ssg-test_selinux_all_devicefiles_labeled:tst:1" version="2">
<ns8:object object_ref="oval:ssg-object_selinux_all_devicefiles_labeled:obj:1" />
<ns8:state state_ref="oval:ssg-state_selinux_all_devicefiles_labeled:ste:1" />
</ns8:selinuxsecuritycontext_test>
<ns8:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="device_t in /dev" id="oval:ssg-test_selinux_confinement_of_daemons:tst:1" version="2">
<ns8:object object_ref="oval:ssg-object_selinux_confinement_of_daemons:obj:1" />
<ns8:state state_ref="oval:ssg-state_selinux_confinement_of_daemons:ste:1" />
</ns8:selinuxsecuritycontext_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" id="oval:ssg-test_selinux_policy:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_selinux_policy:obj:1" />
<ns6:state state_ref="oval:ssg-state_selinux_policy:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="/selinux/enforce is 1" id="oval:ssg-test_etc_selinux_config:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_selinux_config:obj:1" />
<ns6:state state_ref="oval:ssg-state_etc_selinux_config:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check /etc/firewalld/firewalld.conf DefaultZone for drop" id="oval:ssg-test_firewalld_input_drop:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_firewalld_input_drop:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="The password hashing algorithm should be set correctly in /etc/libuser.conf" id="oval:ssg-test_etc_libuser_conf_cryptstyle:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_libuser_conf_cryptstyle:obj:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" comment="The value of ENCRYPT_METHOD should be set appropriately in /etc/login.defs" id="oval:ssg-test_etc_login_defs_encrypt_method:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_last_encrypt_method_instance_value:obj:1" />
<ns6:state state_ref="oval:ssg-state_last_encrypt_method_instance_value:ste:1" />
</ns6:variable_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check /etc/pam.d/system-auth for correct settings" id="oval:ssg-test_pam_unix_sha512:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_pam_unix_sha512:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg-test_snmp_default_communities:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_snmp_default_communities:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check snmpd configuration" id="oval:ssg-test_snmp_versions:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_snmp_versions:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="sshd uses protocol 2" id="oval:ssg-test_sshd_allow_only_protocol2:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_sshd_allow_only_protocol2:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_permitemptypasswords_no:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_permitemptypasswords_no:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the IgnoreRhosts[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_rsh_emulation_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_rsh_emulation_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the PermitRootLogin[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_permitrootlogin_no:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_permitrootlogin_no:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check value of PermitUserEnvironment in /etc/ssh/sshd_config" id="oval:ssg-test_sshd_no_user_envset:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_no_user_envset:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the Banner[\s]+/etc/issue setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_banner_set:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_banner_set:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg-test_sshd_idle_timeout:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_sshd_idle_timeout:obj:1" />
<ns6:state state_ref="oval:ssg-state_timeout_value_upper_bound:ste:1" />
<ns6:state state_ref="oval:ssg-state_timeout_value_lower_bound:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_clientalivecountmax:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_clientalivecountmax:obj:1" />
<ns6:state state_ref="oval:ssg-state_sshd_clientalivecountmax:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Ciphers setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_use_approved_ciphers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_use_approved_ciphers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of MACs setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_use_approved_macs:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_use_approved_macs:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" id="oval:ssg-test_sysconfig_networking_bootproto_ifcfg:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sysconfig_networking_bootproto_ifcfg:obj:1" />
<ns6:state state_ref="oval:ssg-state_sysconfig_networking_bootproto_ifcfg:ste:1" />
</ns6:textfilecontent54_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.exec-shield set to 1" id="oval:ssg-test_runtime_sysctl_kernel_exec_shield:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_kernel_exec_shield:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_kernel_exec_shield:ste:1" />
</ns7:sysctl_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.exec-shield static configuration" id="oval:ssg-test_static_sysctl_kernel_exec_shield:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_kernel_exec_shield:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="NX is disabled" id="oval:ssg-test_nx_disabled_grub:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nx_disabled_grub:obj:1" />
</ns6:textfilecontent54_test>
<ns6:variable_test check="all" comment="Test the retrieved /etc/init.d/functions umask value(s) match the var_umask_for_daemons requirement" id="oval:ssg-tst_umask_for_daemons:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_umask_for_daemons:obj:1" />
<ns6:state state_ref="oval:ssg-ste_umask_for_daemons:ste:1" />
</ns6:variable_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="Check kernel.dmesg_restrict kernel runtime parameter" id="oval:ssg-test_runtime_kernel_dmesg_restrict:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_runtime_kernel_dmesg_restrict:obj:1" />
<ns7:state state_ref="oval:ssg-state_runtime_kernel_dmesg_restrict:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter kernel.randomize_va_space set to 2" id="oval:ssg-test_runtime_sysctl_kernel_randomize_va_space:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_kernel_randomize_va_space:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1" />
</ns7:sysctl_test>
<ns6:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Check kernel.dmesg_restrict static configuration in /etc/sysctl.d/*" id="oval:ssg-test_static_sysctld_kernel_dmesg_restrict:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctld_kernel_dmesg_restrict:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_kernel_dmesg_restrict:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="Check kernel.dmesg_restrict static configuration in /etc/sysctl.conf" id="oval:ssg-test_static_etc_sysctl_kernel_dmesg_restrict:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctl_kernel_dmesg_restrict:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_kernel_dmesg_restrict:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Check kernel.dmesg_restrict is not used in some file from /etc/sysctl.d/* location" id="oval:ssg-test_static_sysctld_kernel_dmesg_restrict_not_used:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctld_kernel_dmesg_restrict:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel.randomize_va_space static configuration" id="oval:ssg-test_static_sysctl_kernel_randomize_va_space:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_kernel_randomize_va_space:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_kernel_randomize_va_space:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_kernel_randomize_va_space:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_kernel_randomize_va_space:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_kernel_randomize_va_space:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_kernel_randomize_va_space:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_kernel_randomize_va_space:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.all.disable_ipv6 static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_all_disable_ipv6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_disable_ipv6:obj:1" />
</ns6:textfilecontent54_test>
<ns7:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppc_64:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_system_info_architecture_ppc_64:obj:1" />
<ns7:state state_ref="oval:ssg-state_system_info_architecture_ppc_64:ste:1" />
</ns7:uname_test>
<ns7:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_system_info_architecture_ppcle_64:obj:1" />
<ns7:state state_ref="oval:ssg-state_system_info_architecture_ppcle_64:ste:1" />
</ns7:uname_test>
<ns7:uname_test check="all" comment="32 bit architecture" id="oval:ssg-test_system_info_architecture_x86:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_system_info_architecture_x86:obj:1" />
<ns7:state state_ref="oval:ssg-state_system_info_architecture_x86:ste:1" />
</ns7:uname_test>
<ns7:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_x86_64:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_system_info_architecture_x86_64:obj:1" />
<ns7:state state_ref="oval:ssg-state_system_info_architecture_x86_64:ste:1" />
</ns7:uname_test>
<ns6:textfilecontent54_test check="all" comment="tftpd secure mode" id="oval:ssg-test_tftpd_uses_secure_mode:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_tftpd_uses_secure_mode:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing user ownership of /etc/shadow" id="oval:ssg-test_userowner_shadow_file:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_etc_shadow:obj:1" />
<ns7:state state_ref="oval:ssg-state_etc_shadow_uid_root:ste:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="query /proc/net/wireless" id="oval:ssg-test_wireless_disable_interfaces:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_wireless_disable_interfaces:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check FAIL_DELAY in /etc/login.defs" id="oval:ssg-test_accounts_logon_fail_delay:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_accounts_logon_fail_delay:obj:1" />
<ns6:state state_ref="oval:ssg-state_accounts_logon_fail_delay:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/system-auth" id="oval:ssg-test_pam_faillock_preauth_silent_system-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_pam_faillock_preauth_silent_system-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/system-auth (authfail)" id="oval:ssg-test_pam_faillock_authfail_deny_root_system-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_pam_faillock_authfail_deny_root_system-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check pam_faillock.so preauth silent present in /etc/pam.d/password-auth" id="oval:ssg-test_pam_faillock_preauth_silent_password-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_pam_faillock_preauth_silent_password-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Check maximum failed login attempts allowed in /etc/pam.d/password-auth (authfail)" id="oval:ssg-test_pam_faillock_authfail_deny_root_password-auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_pam_faillock_authfail_deny_root_password-auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of clean_requirements_on_remove in /etc/yum.conf" id="oval:ssg-test_yum_clean_components_post_updating:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_yum_clean_components_post_updating:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_x11_forwarding:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_enable_x11_forwarding:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of localpkg_gpgcheck in /etc/yum.conf" id="oval:ssg-test_yum_ensure_gpgcheck_local_packages:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_yum_ensure_gpgcheck_local_packages:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check value of repo_gpgcheck in /etc/yum.conf" id="oval:ssg-test_yum_ensure_gpgcheck_repo_metadata:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_yum_ensure_gpgcheck_repo_metadata:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg-test_file_permissions_sshd_private_key:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_sshd_private_key:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_permissions_sshd_private_key:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:ssg-test_file_permissions_sshd_pub_key:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_sshd_pub_key:obj:1" />
<ns7:state state_ref="oval:ssg-state_file_permissions_sshd_pub_key:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="setgid files outside system RPMs" id="oval:ssg-check_setgid_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_unauthorized_sgid:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="none_exist" comment="setuid files outside system RPMs" id="oval:ssg-check_setuid_files:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_file_permissions_unauthorized_suid:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" id="oval:ssg-test_grub2_enable_fips_mode:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_grub2_enable_fips_mode:obj:1" />
<ns6:state state_ref="oval:ssg-state_grub2_enable_fips_mode:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" id="oval:ssg-test_grub2_enable_fips_mode_default:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_grub2_enable_fips_mode_default:obj:1" />
<ns6:state state_ref="oval:ssg-state_grub2_enable_fips_mode:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub" id="oval:ssg-test_grub2_default_exists:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_grub2_default_exists:obj:1" />
</ns6:textfilecontent54_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="Package kernel-PAE is installed" id="oval:ssg-test_package_kernel-PAE_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_kernel-PAE_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="AntiVirus package is installed" id="oval:ssg-test_mcafee_runtime_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_mcafee_runtime_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="AntiVirus package is installed" id="oval:ssg-test_mcafee_management_agent:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_mcafee_management_agent:obj:1" />
</ns8:rpminfo_test>
<ns7:file_test check="all" check_existence="all_exist" comment="McAfee ACCM installed" id="oval:ssg-test_mcafee_accm_exists:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_mcafee_accm_exists:obj:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="McAfee Audit Engine installed" id="oval:ssg-test_mcafee_auditengine_exists:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_mcafee_auditengine_exists:obj:1" />
</ns7:file_test>
<ns6:textfilecontent54_test check="all" comment="kernel module bluetooth disabled" id="oval:ssg-test_kernmod_bluetooth_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_bluetooth_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module bluetooth disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module bluetooth disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_bluetooth_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_bluetooth_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module bluetooth disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_bluetooth_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_bluetooth_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module bluetooth disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_bluetooth_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_bluetooth_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module cramfs disabled" id="oval:ssg-test_kernmod_cramfs_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_cramfs_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module cramfs disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module cramfs disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_cramfs_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_cramfs_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module cramfs disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_cramfs_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_cramfs_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module cramfs disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_cramfs_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_cramfs_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module freevxfs disabled" id="oval:ssg-test_kernmod_freevxfs_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_freevxfs_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module freevxfs disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module freevxfs disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_freevxfs_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_freevxfs_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module freevxfs disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_freevxfs_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_freevxfs_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module freevxfs disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_freevxfs_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_freevxfs_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfs disabled" id="oval:ssg-test_kernmod_hfs_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfs_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfs disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_hfs_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfs disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_hfs_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfs_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfs disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_hfs_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfs_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfs disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_hfs_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfs_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfsplus disabled" id="oval:ssg-test_kernmod_hfsplus_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfsplus_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfsplus disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfsplus disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_hfsplus_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfsplus_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfsplus disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_hfsplus_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfsplus_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module hfsplus disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_hfsplus_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_hfsplus_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module jffs2 disabled" id="oval:ssg-test_kernmod_jffs2_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_jffs2_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module jffs2 disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module jffs2 disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_jffs2_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_jffs2_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module jffs2 disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_jffs2_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_jffs2_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module jffs2 disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_jffs2_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_jffs2_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module sctp disabled" id="oval:ssg-test_kernmod_sctp_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_sctp_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module sctp disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_sctp_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module sctp disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_sctp_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_sctp_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module sctp disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_sctp_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_sctp_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module sctp disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_sctp_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_sctp_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module squashfs disabled" id="oval:ssg-test_kernmod_squashfs_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_squashfs_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module squashfs disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module squashfs disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_squashfs_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_squashfs_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module squashfs disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_squashfs_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_squashfs_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module squashfs disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_squashfs_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_squashfs_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module udf disabled" id="oval:ssg-test_kernmod_udf_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_udf_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module udf disabled in /etc/modprobe.conf" id="oval:ssg-test_kernmod_udf_modprobeconf:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_udf_modprobeconf:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module udf disabled in /etc/modules-load.d" id="oval:ssg-test_kernmod_udf_etcmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_udf_etcmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module udf disabled in /run/modules-load.d" id="oval:ssg-test_kernmod_udf_runmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_udf_runmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="kernel module udf disabled in /usr/lib/modules-load.d" id="oval:ssg-test_kernmod_udf_libmodules-load:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_kernmod_udf_libmodules-load:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="all nfs has krb_sec" id="oval:ssg-test_nfs_krb_sec_etc_fstab:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nfs_krb_sec_etc_fstab:obj:1" />
<ns6:state state_ref="oval:ssg-state_remote_filesystem_krb_sec:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="no nfs" id="oval:ssg-test_no_nfs_defined_etc_fstab_krb_sec:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_nfs_defined_etc_fstab_krb_sec:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests for the existence of DHCP_HOSTNAME in the /etc/sysconfig/network-scripts/ifcfg-.* file" id="oval:ssg-test_network_disable_ddns_interfaces_ifcfg:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_disable_ddns_interfaces_ifcfg:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests for the existence of 'send host-name' in /etc/dhclient.conf file" id="oval:ssg-test_network_disable_ddns_interfaces_dhclient:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_disable_ddns_interfaces_dhclient:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests for the existence of 'send host-name' in the /etc/dhcp folder" id="oval:ssg-test_network_disable_ddns_interfaces_dhcp:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_network_disable_ddns_interfaces_dhcp:obj:1" />
</ns6:textfilecontent54_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel0_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel0_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel1_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel1_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel2_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel2_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel3_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel3_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel4_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel4_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel5_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel5_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns7:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:ssg-test_runlevel6_nails:tst:1" version="2">
<ns7:object object_ref="oval:ssg-obj_runlevel6_nails:obj:1" />
<ns7:state state_ref="oval:ssg-state_service_nails_on:ste:1" />
</ns7:runlevel_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_sshd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_sshd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_sshd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Compression setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_compression:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_disable_compression:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_gssapi_auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_disable_gssapi_auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_kerb_auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_disable_kerb_auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of StrictModes setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_strictmodes:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_enable_strictmodes:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_printlastlog:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_enable_printlastlog:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_use_priv_separation:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sshd_use_priv_separation:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of memcache_timeoutsetting in the /etc/sssd/sssd.conf file" id="oval:ssg-test_sssd_memcache_timeout:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sssd_memcache_timeout:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file" id="oval:ssg-test_sssd_offline_cred_expiration:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sssd_offline_cred_expiration:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of ssh_known_hosts_timeout setting in the /etc/sssd/sssd.conf file" id="oval:ssg-test_sssd_ssh_known_hosts_timeout:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_sssd_ssh_known_hosts_timeout:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers" id="oval:ssg-test_no_authenticate_etc_sudoers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_authenticate_etc_sudoers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers.d" id="oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist /etc/sudoers" id="oval:ssg-test_nopasswd_etc_sudoers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nopasswd_etc_sudoers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist in /etc/sudoers.d" id="oval:ssg-test_nopasswd_etc_sudoers_d:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_nopasswd_etc_sudoers_d:obj:1" />
</ns6:textfilecontent54_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter fs.suid_dumpable set to 0" id="oval:ssg-test_runtime_sysctl_fs_suid_dumpable:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_fs_suid_dumpable:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_fs_suid_dumpable:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_accept_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_accept_source_route:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_log_martians:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_rp_filter:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_secure_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_all_send_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_accept_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_accept_source_route:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_log_martians:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_rp_filter:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.ip_forward set to 0" id="oval:ssg-test_runtime_sysctl_net_ipv4_ip_forward:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_ip_forward:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_secure_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0" id="oval:ssg-test_runtime_sysctl_net_ipv4_conf_default_send_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv4_tcp_syncookies:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_ra:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_accept_source_route:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.all.forwarding set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_all_forwarding:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_forwarding:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_forwarding:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_ra:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_redirects:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects:ste:1" />
</ns7:sysctl_test>
<ns7:sysctl_test check="all" check_existence="all_exist" comment="kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value" id="oval:ssg-test_runtime_sysctl_net_ipv6_conf_default_accept_source_route:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" />
<ns7:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route:ste:1" />
</ns7:sysctl_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="fs.suid_dumpable static configuration" id="oval:ssg-test_static_sysctl_fs_suid_dumpable:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_fs_suid_dumpable:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_fs_suid_dumpable:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_fs_suid_dumpable:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_fs_suid_dumpable:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_fs_suid_dumpable:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_fs_suid_dumpable:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_fs_suid_dumpable:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.accept_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.accept_source_route static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.log_martians static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.rp_filter static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.secure_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_all_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.all.send_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_all_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_all_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_all_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_all_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_all_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_all_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_all_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.accept_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.accept_source_route static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.log_martians static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_log_martians:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_log_martians:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.rp_filter static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_rp_filter:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_rp_filter:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.secure_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_secure_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_conf_default_secure_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.conf.default.send_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_conf_default_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_conf_default_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_conf_default_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_conf_default_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_conf_default_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_conf_default_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_conf_default_send_redirects:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.ip_forward static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_ip_forward:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_ip_forward:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_ip_forward:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_ip_forward:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_ip_forward:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_ip_forward:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_ip_forward:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_ip_forward:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv4.tcp_syncookies static configuration" id="oval:ssg-test_static_sysctl_net_ipv4_tcp_syncookies:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv4_tcp_syncookies:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_tcp_syncookies:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv4_tcp_syncookies:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv4_tcp_syncookies:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_tcp_syncookies:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv4_tcp_syncookies:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv4_tcp_syncookies:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_tcp_syncookies:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv4_tcp_syncookies:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv4_tcp_syncookies:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_ra static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_source_route static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.all.forwarding static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_all_forwarding:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_all_forwarding:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_forwarding:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_all_forwarding:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_all_forwarding:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_forwarding:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_all_forwarding:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_all_forwarding:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_forwarding:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.all.forwarding static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_all_forwarding:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_all_forwarding:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_all_forwarding:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_ra static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_ra:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_ra:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_redirects static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_redirects:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_redirects:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_source_route static configuration" id="oval:ssg-test_static_sysctl_net_ipv6_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_etc_sysctld_net_ipv6_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_run_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_run_sysctld_net_ipv6_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" comment="net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" id="oval:ssg-test_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_static_usr_lib_sysctld_net_ipv6_conf_default_accept_source_route:obj:1" />
<ns6:state state_ref="oval:ssg-state_static_sysctld_net_ipv6_conf_default_accept_source_route:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the Kerberos Settings in /etc/exports" id="oval:ssg-test_use_kerberos_security_all_exports:tst:1" version="2">
<ns6:object object_ref="oval:ssg-obj_use_kerberos_security_all_exports:obj:1" />
<ns6:state state_ref="oval:ssg-state_use_kerberos_security_all_exports:ste:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if a share is configured in /etc/exports" id="oval:ssg-test_non_empty_exports_file:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_non_empty_exports_file:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure more than one chronyd NTP server is set" id="oval:ssg-test_chronyd_multiple_servers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_chronyd_multiple_servers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg-test_chronyd_remote_server:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_chronyd_remote_server:obj:1" />
</ns6:textfilecontent54_test>
<ns7:symlink_test check="all" check_existence="all_exist" comment="Disable Ctrl-Alt-Del key sequence override exists" id="oval:ssg-test_disable_ctrlaltdel_exists:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_disable_ctrlaltdel_exists:obj:1" />
<ns7:state state_ref="oval:ssg-state_disable_ctrlaltdel_exists:ste:1" />
</ns7:symlink_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the disable_plaintext_auth[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/dovecot.conf file" id="oval:ssg-test_dovecot_disable_plaintext_auth:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dovecot_disable_plaintext_auth:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ssl[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/dovecot.conf file" id="oval:ssg-test_dovecot_enable_ssl:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_dovecot_enable_ssl:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure more than one ntpd NTP server is set" id="oval:ssg-test_ntpd_multiple_servers:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ntpd_multiple_servers:obj:1" />
</ns6:textfilecontent54_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one ntpd NTP server is set" id="oval:ssg-test_ntp_remote_server:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_ntp_remote_server:obj:1" />
</ns6:textfilecontent54_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package chrony is installed" id="oval:ssg-test_package_chrony_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_chrony_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package cronie is installed" id="oval:ssg-test_package_cronie_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_cronie_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package firewalld is installed" id="oval:ssg-test_package_firewalld_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_firewalld_installed:obj:1" />
</ns8:rpminfo_test>
<ns6:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="inet_interfaces in /etc/postfix/main.cf should be set correctly" id="oval:ssg-test_postfix_network_listening_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_postfix_network_listening_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns7:file_test check="all" check_existence="all_exist" comment="System log files are owned by root group" id="oval:ssg-test_rsyslog_files_groupownership:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_rsyslog_files_groupownership:obj:1" />
<ns7:state state_ref="oval:ssg-state_rsyslog_files_groupownership:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="System log files are owned by root" id="oval:ssg-test_rsyslog_files_ownership:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_rsyslog_files_ownership:obj:1" />
<ns7:state state_ref="oval:ssg-state_rsyslog_files_ownership:ste:1" />
</ns7:file_test>
<ns7:file_test check="all" check_existence="all_exist" comment="Permissions of system log files are 0600" id="oval:ssg-test_rsyslog_files_permissions:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_rsyslog_files_permissions:obj:1" />
<ns7:state state_ref="oval:ssg-state_rsyslog_files_permissions:ste:1" />
</ns7:file_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_dovecot_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_dovecot:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_dovecot_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns7:symlink_test check="all" check_existence="all_exist" comment="default.target systemd softlink exists" id="oval:ssg-test_disable_xwindows_runlevel:tst:1" version="1">
<ns7:object object_ref="oval:ssg-object_disable_xwindows_runlevel:obj:1" />
<ns7:state state_ref="oval:ssg-state_disable_xwindows_runlevel:ste:1" />
</ns7:symlink_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package abrt is removed" id="oval:ssg-test_package_abrt_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_abrt_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package acpid is removed" id="oval:ssg-test_package_acpid_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_acpid_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package at is removed" id="oval:ssg-test_package_at_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_at_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package autofs is removed" id="oval:ssg-test_package_autofs_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_autofs_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package avahi is removed" id="oval:ssg-test_package_avahi_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_avahi_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package bluez is removed" id="oval:ssg-test_package_bluez_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_bluez_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package certmonger is removed" id="oval:ssg-test_package_certmonger_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_certmonger_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package cups is removed" id="oval:ssg-test_package_cups_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_cups_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package cyrus-sasl is removed" id="oval:ssg-test_package_cyrus-sasl_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_cyrus-sasl_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package dbus is removed" id="oval:ssg-test_package_dbus_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_dbus_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package esc is installed" id="oval:ssg-test_package_esc_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_esc_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package iputils is removed" id="oval:ssg-test_package_iputils_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_iputils_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package irqbalance is installed" id="oval:ssg-test_package_irqbalance_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_irqbalance_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package kernel-tools is removed" id="oval:ssg-test_package_kernel-tools_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_kernel-tools_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package kexec-tools is removed" id="oval:ssg-test_package_kexec-tools_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_kexec-tools_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package libcgroup-tools is removed" id="oval:ssg-test_package_libcgroup-tools_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_libcgroup-tools_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package libcgroup is removed" id="oval:ssg-test_package_libcgroup_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_libcgroup_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package mdadm is removed" id="oval:ssg-test_package_mdadm_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_mdadm_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package nfs-utils is removed" id="oval:ssg-test_package_nfs-utils_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_nfs-utils_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package ntpdate is removed" id="oval:ssg-test_package_ntpdate_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_ntpdate_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package oddjob is removed" id="oval:ssg-test_package_oddjob_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_oddjob_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package openssh-server is installed" id="oval:ssg-test_package_openssh-server_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_openssh-server_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package pam_pkcs11 is installed" id="oval:ssg-test_package_pam_pkcs11_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_pam_pkcs11_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package pcsc-lite is installed" id="oval:ssg-test_package_pcsc-lite_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_pcsc-lite_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package portreserve is removed" id="oval:ssg-test_package_portreserve_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_portreserve_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package postfix is installed" id="oval:ssg-test_package_postfix_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_postfix_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package psacct is installed" id="oval:ssg-test_package_psacct_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_psacct_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package qpid-cpp-server is removed" id="oval:ssg-test_package_qpid-cpp-server_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_qpid-cpp-server_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package quagga is removed" id="oval:ssg-test_package_quagga_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_quagga_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package quota-nld is removed" id="oval:ssg-test_package_quota-nld_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_quota-nld_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package rhnsd is removed" id="oval:ssg-test_package_rhnsd_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_rhnsd_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package samba is removed" id="oval:ssg-test_package_samba_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_samba_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package smartmontools is removed" id="oval:ssg-test_package_smartmontools_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_smartmontools_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package sssd is installed" id="oval:ssg-test_package_sssd_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_sssd_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package subscription-manager is removed" id="oval:ssg-test_package_subscription-manager_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_subscription-manager_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="none_exist" comment="package sysstat is removed" id="oval:ssg-test_package_sysstat_removed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_sysstat_removed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package tcp_wrappers is installed" id="oval:ssg-test_package_tcp_wrappers_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_tcp_wrappers_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:rpminfo_test check="all" check_existence="all_exist" comment="package xinetd is installed" id="oval:ssg-test_package_xinetd_installed:tst:1" version="1">
<ns8:object object_ref="oval:ssg-obj_package_xinetd_installed:obj:1" />
</ns8:rpminfo_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_pcscd.socket:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_pcscd.socket:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_pcscd.socket_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_abrtd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_abrtd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_abrtd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_acpid_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_acpid:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_acpid_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_atd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_atd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_atd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_auditd:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_auditd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_auditd_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_autofs_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_autofs:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_autofs_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_avahi-daemon_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_avahi-daemon:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_avahi-daemon_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_bluetooth_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_bluetooth:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_bluetooth_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_certmonger_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_certmonger:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_certmonger_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_cgconfig_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_cgconfig:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_cgconfig_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_cgred_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_cgred:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_cgred_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_chronyd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_cpupower_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_cpupower:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_cpupower_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_crond:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_crond:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_crond_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_cups_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_cups:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_cups_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_debug-shell_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_debug-shell:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_debug-shell_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_dhcpd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_dhcpd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_dhcpd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_firewalld:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_firewalld:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_firewalld_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_httpd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_httpd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_httpd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_irqbalance:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_irqbalance:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_irqbalance_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_kdump_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_kdump:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_kdump_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_mdmonitor_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_mdmonitor:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_mdmonitor_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_messagebus_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_messagebus:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_messagebus_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_named_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_named:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_named_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_netconsole_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_netconsole:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_netconsole_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_nfs_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_nfs:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_nfs_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_nfslock_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_nfslock:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_nfslock_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ntpd:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_ntpd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_ntpd_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_ntpdate_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_ntpdate:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_ntpdate_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_oddjobd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_oddjobd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_oddjobd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_portreserve_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_portreserve:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_portreserve_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_postfix:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_postfix:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_postfix_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_psacct:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_psacct:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_psacct_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_qpidd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_qpidd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_qpidd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_quota_nld_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_quota_nld:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_quota_nld_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rdisc_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rdisc:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rdisc_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns6:textfilecontent54_test check="all" comment="rexec disabled" id="oval:ssg-test_etc_xinetd_rexec_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_xinetd_rexec_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rexec_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rexec:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rexec_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rhnsd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rhnsd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rhnsd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rhsmcertd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rhsmcertd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rhsmcertd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns6:textfilecontent54_test check="all" comment="rlogin disabled" id="oval:ssg-test_etc_xinetd_rlogin_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_xinetd_rlogin_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rlogin_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rlogin:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rlogin_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rpcbind_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rpcbind:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rpcbind_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rpcgssd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rpcgssd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rpcgssd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rpcidmapd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rpcidmapd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rpcidmapd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rpcsvcgssd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rpcsvcgssd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rpcsvcgssd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns6:textfilecontent54_test check="all" comment="rsh disabled" id="oval:ssg-test_etc_xinetd_rsh_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-object_etc_xinetd_rsh_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_rsh_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rsh:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rsh_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_rsyslog:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_rsyslog:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_rsyslog_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_saslauthd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_saslauthd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_saslauthd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_smartd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_smartd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_smartd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_smb_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_smb:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_smb_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_snmpd_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_snmpd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_snmpd_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_squid_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_squid:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_squid_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_sshd:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_sshd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_sshd_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_sssd:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_sssd:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_sssd_on:ste:1" />
</ns8:systemdunitdependency_test>
<ns8:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_sysstat_not_wanted_by_multi_user_target:tst:1" version="1">
<ns8:object object_ref="oval:ssg-object_multi_user_target_for_sysstat:obj:1" />
<ns8:state state_ref="oval:ssg-state_systemd_sysstat_off:ste:1" />
</ns8:systemdunitdependency_test>
<ns6:textfilecontent54_test check="all" check_existence="none_exist" comment="Disable Telnet Service" id="oval:ssg-test_xinetd_telnetd_disabled:tst:1" version="1">
<ns6:object object_ref="oval:ssg-obj_xinetd_telnetd_disabled:obj:1" />
</ns6:textfilecontent54_test>
<ns8:systemdunitdependency_test check="all"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment