openscap 0.3.0 → 0.4.0

data/lib/openscap/xccdf/testresult.rb

@@ -0,0 +1,114 @@
+#
+# Copyright (c) 2014 Red Hat Inc.
+#
+# This software is licensed to you under the GNU General Public License,
+# version 2 (GPLv2). There is NO WARRANTY for this software, express or
+# implied, including the implied warranties of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
+# along with this software; if not, see
+# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
+#
+
+require 'openscap/source'
+require 'openscap/exceptions'
+require 'openscap/xccdf'
+require 'openscap/xccdf/ruleresult'
+
+module OpenSCAP
+  module Xccdf
+    class TestResult
+      attr_reader :rr
+      attr_reader :raw
+
+      def initialize(t)
+        case t
+        when OpenSCAP::Source
+          @raw = OpenSCAP.xccdf_result_import_source(t.raw)
+          OpenSCAP.raise! if @raw.null?
+        when FFI::Pointer
+          @raw = OpenSCAP.xccdf_result_import_source(t)
+          OpenSCAP.raise! if @raw.null?
+        else
+          raise OpenSCAP::OpenSCAPError, "Cannot initialize TestResult with #{t}"
+        end
+        init_ruleresults
+      end
+
+      def id
+        return OpenSCAP.xccdf_result_get_id(@raw)
+      end
+
+      def profile
+        return OpenSCAP.xccdf_result_get_profile(@raw)
+      end
+
+      def score
+        @score ||= score_init
+      end
+
+      def score!(benchmark)
+        #recalculate the scores in the scope of given benchmark
+        @score = nil
+        OpenSCAP.raise! unless OpenSCAP.xccdf_result_recalculate_scores(@raw, benchmark.raw) == 0
+        score
+      end
+
+      def source
+        source_p = OpenSCAP.xccdf_result_export_source(raw, nil)
+        OpenSCAP::Source.new source_p
+      end
+
+      def destroy
+        OpenSCAP.xccdf_result_free @raw
+        @raw = nil
+      end
+
+      private
+      def init_ruleresults
+        @rr = Hash.new
+        rr_it = OpenSCAP.xccdf_result_get_rule_results(@raw)
+        while OpenSCAP.xccdf_rule_result_iterator_has_more(rr_it) do
+          rr_raw = OpenSCAP.xccdf_rule_result_iterator_next(rr_it)
+          rr = OpenSCAP::Xccdf::RuleResult.new rr_raw
+          @rr[rr.id] = rr
+        end
+        OpenSCAP.xccdf_rule_result_iterator_free(rr_it)
+      end
+
+      def score_init
+        scores = Hash.new
+        scorit = OpenSCAP.xccdf_result_get_scores(@raw)
+        while OpenSCAP.xccdf_score_iterator_has_more(scorit) do
+          s = OpenSCAP.xccdf_score_iterator_next(scorit)
+          scores[OpenSCAP.xccdf_score_get_system(s)] = {
+            :system => OpenSCAP.xccdf_score_get_system(s),
+            :value => OpenSCAP.xccdf_score_get_score(s),
+            :max => OpenSCAP.xccdf_score_get_maximum(s)
+            }
+        end
+        OpenSCAP.xccdf_score_iterator_free(scorit)
+        scores
+      end
+    end
+  end
+
+  attach_function :xccdf_result_import_source, [:pointer], :pointer
+  attach_function :xccdf_result_free, [:pointer], :void
+  attach_function :xccdf_result_get_id, [:pointer], :string
+  attach_function :xccdf_result_get_profile, [:pointer], :string
+  attach_function :xccdf_result_recalculate_scores, [:pointer, :pointer], :int
+  attach_function :xccdf_result_export_source, [:pointer, :string], :pointer
+
+  attach_function :xccdf_result_get_rule_results, [:pointer] ,:pointer
+  attach_function :xccdf_rule_result_iterator_has_more, [:pointer], :bool
+  attach_function :xccdf_rule_result_iterator_free, [:pointer], :void
+  attach_function :xccdf_rule_result_iterator_next, [:pointer], :pointer
+
+  attach_function :xccdf_result_get_scores, [:pointer], :pointer
+  attach_function :xccdf_score_iterator_has_more, [:pointer], :bool
+  attach_function :xccdf_score_iterator_free, [:pointer], :void
+  attach_function :xccdf_score_iterator_next, [:pointer], :pointer
+  attach_function :xccdf_score_get_system, [:pointer], :string
+  attach_function :xccdf_score_get_score, [:pointer], OpenSCAP::Xccdf::NUMERIC
+  attach_function :xccdf_score_get_maximum, [:pointer], OpenSCAP::Xccdf::NUMERIC
+end

data/test/common/testcase.rb

@@ -34,5 +34,16 @@ module OpenSCAP
 
     def test_x
     end
+
+    protected
+    def assert_default_score(scores, low, high)
+      assert scores.size == 1
+      s = scores['urn:xccdf:scoring:default']
+      assert !s.nil?
+      assert s[:system] == 'urn:xccdf:scoring:default'
+      assert low < s[:value]
+      assert s[:value] < high
+      assert s[:max] == 100
+    end
   end
 end

data/test/data/invalid.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_second">
+  <version>1.0</version>
+  <status>incomplete</status>
+  <Profile id="xccdf_moc.elpmaxe.www_profile_1">
+    <title>is kinda compulsory</title>
+    <select idref="xccdf_moc.elpmaxe.www_rule_second" selected="true"/>
+  </Profile>
+  <Profile id="xccdf_moc.elpmaxe.www_profile_2" extends="xccdf_moc.elpmaxe.www_profile_1">
+    <title>is kinda compulsory</title>
+    <select idref="xccdf_moc.elpmaxe.www_group_one" selected="true"/>
+  </Profile>
+  <Group selected="false" id="xccdf_moc.elpmaxe.www_group_one">
+    <Rule selected="false" id="xccdf_moc.elpmaxe.www_rule_second">
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref href="stub-oval.xml"/>
+      </check>
+    </Rule>
+  </Group>
+</Benchmark>

data/test/data/testresult.xml

@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<TestResult xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.open-scap_testresult_xccdf_org.ssgproject.content_profile_common" start-time="2014-10-17T09:07:43" end-time="2014-10-17T09:07:55">
+    <benchmark href="/usr/share/xml/scap/ssg/fedora/ssg-fedora-ds.xml" id="xccdf_org.ssgproject.content_benchmark_FEDORA"/>
+    <title>OSCAP Scan Result</title>
+    <identity authenticated="false" privileged="false">root</identity>
+    <profile idref="xccdf_org.ssgproject.content_profile_common"/>
+    <target>fedora20.mydomain</target>
+    <target-address>127.0.0.1</target-address>
+    <target-address>0:0:0:0:0:0:0:1</target-address>
+    <target-facts>
+      <fact name="urn:xccdf:fact:scanner:name" type="string">OpenSCAP</fact>
+      <fact name="urn:xccdf:fact:scanner:version" type="string">1.0.9</fact>
+      <fact name="urn:xccdf:fact:ethernet:MAC" type="string">00:00:00:00:00:00</fact>
+    </target-facts><target-id-ref system="http://scap.nist.gov/schema/asset-identification/1.1" name="asset0" href=""/>
+    <platform idref="cpe:/o:fedoraproject:fedora:20"/>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_disable_prelink" time="2014-10-17T09:07:43" severity="low" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:151" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" time="2014-10-17T09:07:43" severity="high" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:140" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" time="2014-10-17T09:07:43" severity="high" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:149" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" time="2014-10-17T09:07:51" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:137" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" time="2014-10-17T09:07:53" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:124" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:161" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:154" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>notchecked</result>
+      <message severity="info">No candidate or applicable check found.</message>
+      <check system="ocil-transitional">
+        <check-export export-name="the /etc/securetty file is not empty" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
+To ensure root may not directly login to the system over physical consoles,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">cat /etc/securetty</pre>
+If any output is returned, this is a finding.
+</check-content>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:109" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:144" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>notselected</result>
+      <check system="ocil-transitional">
+        <check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
+Check the <xhtml:code>root</xhtml:code> home directory for a <xhtml:code>.mozilla</xhtml:code> directory. If
+one exists, ensure browsing is limited to local service administration.
+</check-content>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>notselected</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:122" href="#xccdf1"/>
+      </check>
+      <check system="ocil-transitional">
+        <check-export export-name="any system account (other than root) has a login shell" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
+To obtain a listing of all users,
+their UIDs, and their shells, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre>
+Identify the system accounts from this listing. These will
+primarily be the accounts with UID numbers less than 500, other
+than root.
+</check-content>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:118" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_root_path_default" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>notselected</result>
+      <check system="ocil-transitional">
+        <check-export export-name="any of these conditions are not met" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
+To view the root user's <xhtml:code>PATH</xhtml:code>, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># env | grep PATH</pre>
+If correctly configured, the <xhtml:code>PATH</xhtml:code> must: use vendor default settings,
+have no empty entries, and have no entries beginning with a character
+other than a slash (/).
+</check-content>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" time="2014-10-17T09:07:55" severity="high" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:111" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:107" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>notselected</result>
+      <check system="ocil-transitional">
+        <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+        <check-content xmlns:xhtml="http://www.w3.org/1999/xhtml">
+To ensure all GIDs referenced in <xhtml:code>/etc/passwd</xhtml:code> are defined in <xhtml:code>/etc/group</xhtml:code>,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre>
+There should be no output.
+</check-content>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_no_netrc_files" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:157" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-export export-name="oval:ssg:var:213" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/>
+        <check-content-ref name="oval:ssg:def:133" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-export export-name="oval:ssg:var:214" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/>
+        <check-content-ref name="oval:ssg:def:159" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-export export-name="oval:ssg:var:211" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/>
+        <check-content-ref name="oval:ssg:def:113" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-export export-name="oval:ssg:var:215" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/>
+        <check-content-ref name="oval:ssg:def:163" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:129" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:142" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" time="2014-10-17T09:07:55" severity="medium" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:115" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" time="2014-10-17T09:07:55" severity="high" weight="1.000000">
+      <result>pass</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:146" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-export export-name="oval:ssg:var:212" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/>
+        <check-content-ref name="oval:ssg:def:120" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <rule-result idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" time="2014-10-17T09:07:55" severity="low" weight="1.000000">
+      <result>fail</result>
+      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+        <check-content-ref name="oval:ssg:def:135" href="#xccdf1"/>
+      </check>
+    </rule-result>
+    <score system="urn:xccdf:scoring:default" maximum="100.000000">34.722221</score>
+  </TestResult>

data/test/data/xccdf.xml

@@ -1,20 +1,3046 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_moc.elpmaxe.www_benchmark_second">
-  <status>incomplete</status>
-  <version>1.0</version>
-  <Profile id="xccdf_moc.elpmaxe.www_profile_1">
-    <title>is kinda compulsory</title>
-    <select idref="xccdf_moc.elpmaxe.www_rule_second" selected="true"/>
+<?xml version="1.0" encoding="UTF-8"?>
+<Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_org.ssgproject.content_benchmark_FEDORA" resolved="1" xml:lang="en-US">
+  <status date="2014-10-02">draft</status>
+  <title xml:lang="en-US">Guide to the Secure Configuration of Fedora</title>
+  <description xml:lang="en-US">This guide presents a catalog of security-relevant configuration
+settings for Fedora operating system formatted in the eXtensible Configuration
+Checklist Description Format (XCCDF).
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+Providing system administrators with such guidance informs them how to securely
+configure systems under their control in a variety of network roles.  Policy
+makers and baseline creators can use this catalog of settings, with its
+associated references to higher-level security control catalogs, in order to
+assist them in security baseline creation.  This guide is a <i xmlns="http://www.w3.org/1999/xhtml">catalog, not a
+checklist,</i> and satisfaction of every item is not likely to be possible or
+sensible in many operational scenarios.  However, the XCCDF format enables
+granular selection and adjustment of settings, and their association with OVAL
+and OCIL content provides an automated checking capability.  Transformations of
+this document, and its associated automated checking content, are capable of
+providing baselines that meet a diverse set of policy objectives.  Some example
+XCCDF <i xmlns="http://www.w3.org/1999/xhtml">Profiles</i>, which are selections of items that form checklists and
+can be used as baselines, are available with this guide.  They can be
+processed, in an automated fashion, with tools that support the Security
+Content Automation Protocol (SCAP).
+</description>
+  <notice xml:lang="en-US" id="terms_of_use">Do not attempt to implement any of the settings in
+this guide without first testing them in a non-operational environment. The
+creators of this guidance assume no responsibility whatsoever for its use by
+other parties, and makes no guarantees, expressed or implied, about its
+quality, reliability, or any other characteristic.</notice>
+  <front-matter xml:lang="en-US">
+    <p xmlns="http://www.w3.org/1999/xhtml">
+      <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" id="Layer_1" xml:space="preserve" height="140px" viewBox="30 100 330 150" width="350px" version="1.1" y="0px" x="0px" enable-background="new 30 100 330 150">
+        <g fill="#3A3B3B">
+          <path d="m197.1 150.3s-10.1-1.2-14.4-1.2c-7.2 0-11.0 2.6-11.0 8.3 0 6.6 3.5 7.7 12.3 9.6 10.1 2.3 14.5 4.7 14.5 13.6 0 11.2-6.1 15.6-16.1 15.6-6.0 0-16.0-1.6-16.0-1.6l0.6-4.7s9.9 1.3 15.1 1.3c7.2 0 10.8-3.1 10.8-10.2 0-5.7-3.0-7.3-11.2-8.9-10.4-2.3-15.7-4.7-15.7-14.4 0-9.8 6.4-13.6 16.3-13.6 6.0 0 15.3 1.5 15.3 1.5l-0.5 4.8z"/>
+          <path d="m238.7 194.6c-3.6 0.7-9.1 1.5-13.9 1.5-15.1 0-18.5-9.2-18.5-25.9 0-17.1 3.3-26.1 18.5-26.1 5.2 0 10.7 1.0 13.9 1.6l-0.2 4.7c-3.3-0.6-9.2-1.3-13.1-1.3-11.2 0-13.2 6.7-13.2 21.1 0 14.1 1.8 20.8 13.4 20.8 4.1 0 9.5-0.7 13.0-1.3l0.2 4.8z"/>
+          <path d="m257.5 144.9h12.3l13.9 50.5h-5.6l-3.7-13.0h-21.6l-3.7 13.0h-5.5l13.9-50.5zm-3.4 32.5h19.1l-7.7-27.7h-3.8l-7.7 27.7z"/>
+          <path d="m297.2 178.4v17.0h-5.6v-50.5h18.5c11.0 0 16.1 5.3 16.1 16.3 0 11.0-5.1 17.2-16.1 17.2h-12.9zm12.8-5.0c7.4 0 10.4-4.5 10.4-12.3 0-7.7-3.1-11.3-10.4-11.3h-12.8v23.6h12.8z"/>
+        </g>
+        <g fill="#676767">
+          <path d="m176.8 211.2s-2.8-0.3-4.0-0.3c-1.5 0-2.2 0.5-2.2 1.4 0 0.9 0.5 1.2 2.8 1.9 2.9 0.9 3.8 1.8 3.8 4.0 0 3.0-2.0 4.3-4.7 4.3-1.9 0-4.5-0.6-4.5-0.6l0.3-2.1s2.7 0.4 4.1 0.4c1.5 0 2.1-0.7 2.1-1.8 0-0.8-0.5-1.2-2.4-1.8-3.1-0.9-4.2-1.9-4.2-4.1 0-2.8 1.9-4.0 4.6-4.0 1.8 0 4.5 0.5 4.5 0.5l-0.2 2.2z"/>
+          <path d="m180.6 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.9v3.3h6.0v2.4h-8.8v-13.6z"/>
+          <path d="m201.2 222.1c-0.9 0.2-2.7 0.5-4.0 0.5-4.2 0-5.2-2.3-5.2-7.0 0-5.2 1.2-7.0 5.2-7.0 1.4 0 3.1 0.3 4.0 0.5l-0.1 2.2c-0.9-0.1-2.6-0.3-3.5-0.3-2.1 0-2.8 0.7-2.8 4.6 0 3.7 0.5 4.6 2.8 4.6 0.9 0 2.6-0.2 3.4-0.3l0.1 2.3z"/>
+          <path d="m209.5 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8-3.4 0-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
+          <path d="m221.3 217.8v4.6h-2.8v-13.6h5.3c3.1 0 4.8 1.4 4.8 4.5 0 1.9-0.8 3.1-2.0 3.9l1.9 5.2h-3.0l-1.6-4.6h-2.7zm2.5-6.7h-2.5v4.3h2.6c1.4 0 1.9-1.0 1.9-2.2 0-1.3-0.7-2.2-2.0-2.2z"/>
+          <path d="m231.9 208.7h2.8v13.6h-2.8v-13.6z"/>
+          <path d="m237.4 208.7h10.0v2.4h-3.6v11.2h-2.8v-11.2h-3.6v-2.4z"/>
+          <path d="m255.7 222.3h-2.8v-5.5l-4.2-8.1h3.1l2.5 5.4 2.5-5.4h3.1l-4.2 8.1v5.5z"/>
+          <path d="m273.4 215.1h4.0v7.1s-2.9 0.5-4.6 0.5c-4.4 0-5.6-2.5-5.6-7.0 0-5.0 1.4-7.0 5.5-7.0 2.1 0 4.7 0.6 4.7 0.6l-0.1 2.1s-2.4-0.3-4.2-0.3c-2.4 0-3.1 0.8-3.1 4.6 0 3.6 0.5 4.6 3.0 4.6 0.8 0 1.7-0.1 1.7-0.1v-2.6h-1.2v-2.4z"/>
+          <path d="m286 220.2c1.6 0 2.4-0.8 2.4-2.4v-9.1h2.8v9.0c0 3.4-1.8 4.8-5.2 4.8s-5.2-1.4-5.2-4.8v-9.0h2.8v9.1c0 1.6 0.8 2.4 2.4 2.4z"/>
+          <path d="m295.0 208.7h2.8v13.6h-2.8v-13.6z"/>
+          <path d="m301.8 222.3v-13.6h4.6c4.7 0 5.8 2.0 5.6 6.5 0 4.6-0.9 7.1-5.8 7.1h-4.6zm4.6-11.2h-1.8v8.8h1.8c2.7 0 2.9-1.6 2.9-4.7 0-3.0-0.3-4.1-3.0-4.1z"/>
+          <path d="m315.5 208.7h8.8v2.4h-6.0v3.2h4.8v2.4h-4.8v3.3h6.0v2.4h-8.8v-13.6z"/>
+        </g>
+        <path d="m116.0 204.9h-2.8c-1.5 0-2.8 1.2-2.8 2.7v19.2c0 1.5 1.3 2.7 2.8 2.7h27.9c1.5 0 2.8-1.2 2.8-2.7v-19.2c0-1.5-1.3-2.7-2.8-2.7h-2.8v-8.2c0-6.1-5.0-11.0-11.2-11.0-6.2 0-11.2 4.9-11.2 11.0v8.2zm5.6-8.2c0-3.0 2.5-5.5 5.6-5.4 3.1 0 5.6 2.4 5.6 5.5v8.2h-11.2v-8.2z" fill="#6D0B2B"/>
+        <g fill="#AD1D3F">
+          <path d="m106.4 214.7c-16.4 11.4-37.5 7.8-50.0-3.4l11.9-11.7c2.3-1.9 3.4-5.4 1.2-8.8-0.1-0.1-6.7-11.0 2.3-19.8 7.3-7.2 17.8-5.8 23.3-0.3 3.2 3.1 4.9 7.1 4.9 11.4v0.1c0 4.3-1.8 8.5-5.1 11.7-4.0 3.9-9.6 5.4-15.4 4.1-2.1-0.5-4.3 0.8-4.8 2.9-0.5 2.1 0.8 4.2 2.9 4.7 8.4 2.0 16.9-0.3 22.8-6.1 4.9-4.8 7.5-10.9 7.4-17.4-0.0-6.3-2.6-12.3-7.3-16.8-8.2-8.1-23.8-10.3-34.5 0.3-10.7 10.5-6.6 23.8-3.7 28.8l-12.8 12.6c-2.9 2.9-2.3 6.6-0.2 8.7 15.4 15.2 38.7 17.9 56.9 8.2l-0.0-9.1z"/>
+          <path d="m43.9 188.4c-1.1-7.5-1.1-21.8 11.2-33.9 8.0-7.9 18.5-12.0 29.5-11.7 10.2 0.3 20.1 4.5 27.1 11.4 7.6 7.4 11.8 17.3 11.9 27.8v0.1c1.16-0.3 2.4-0.4 3.6-0.4 1.5 0 2.9 0.2 4.3 0.6 0-0.1 0.0-0.2 0.0-0.3-0.1-12.5-5.2-24.3-14.2-33.2-8.4-8.3-20.2-13.3-32.4-13.7-13.2-0.5-25.8 4.5-35.4 14.0-9.1 8.9-14.0 20.8-14.0 33.3 0 2.4 0.2 4.8 0.5 7.2 0.6 4.0 1.8 8.1 3.7 12.2 0.9 2.0 3.2 2.8 5.2 1.9 2.0-0.9 2.9-3.1 2.0-5.1-1.5-3.3-2.6-6.8-3.1-10.1z"/>
+        </g>
+        <circle cy="218.49" cx="127.26" r="3.233" fill="#fff"/>
+      </svg>
+    </p>
+  </front-matter>
+  <rear-matter xml:lang="en-US">Red Hat and Fedora are either registered
+trademarks or trademarks of Red Hat, Inc. in the United States and other
+countries. All other names are registered trademarks or trademarks of their
+respective companies.</rear-matter>
+  <platform idref="cpe:/o:fedoraproject:fedora:21"/>
+  <platform idref="cpe:/o:fedoraproject:fedora:20"/>
+  <platform idref="cpe:/o:fedoraproject:fedora:19"/>
+  <version>0.0.4</version>
+  <model system="urn:xccdf:scoring:default"/>
+  <Profile id="xccdf_org.ssgproject.content_profile_common">
+    <title xml:lang="en-US">Common Profile for General-Purpose Fedora Systems</title>
+    <description xml:lang="en-US">This profile contains items common to general-purpose Fedora installations.</description>
+    <select idref="xccdf_org.ssgproject.content_rule_disable_prelink" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
+    <select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
+    <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" selector="12"/>
+    <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" selector="7"/>
+    <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
+    <refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" selector="7"/>
+    <refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="5_minutes"/>
   </Profile>
-  <Profile id="xccdf_moc.elpmaxe.www_profile_2" extends="xccdf_moc.elpmaxe.www_profile_1">
-    <title>is kinda compulsory</title>
-    <select idref="xccdf_moc.elpmaxe.www_group_one" selected="true"/>
-  </Profile>
-  <Group selected="false" id="xccdf_moc.elpmaxe.www_group_one">
-    <Rule selected="false" id="xccdf_moc.elpmaxe.www_rule_second">
-      <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-        <check-content-ref href="stub-oval.xml"/>
-      </check>
-    </Rule>
+  <Value id="xccdf_org.ssgproject.content_value_conditional_clause" operator="equals" type="string">
+    <title xml:lang="en-US">A conditional clause for check statements.</title>
+    <description xml:lang="en-US">A conditional clause for check statements.</description>
+    <value>This is a placeholder.</value>
+  </Value>
+  <Group id="xccdf_org.ssgproject.content_group_intro">
+    <title xml:lang="en-US">Introduction</title>
+    <description xml:lang="en-US"><!-- purpose and scope of guidance -->
+The purpose of this guidance is to provide security configuration
+recommendations and baselines for the Fedora operating system.
+Recommended settings for the basic operating system are provided,
+as well as for many network services that the system can provide
+to other systems.
+<!-- audience -->The guide is intended for system administrators. Readers are assumed to
+possess basic system administration skills for Unix-like systems, as well
+as some familiarity with Fedora's documentation and administration
+conventions. Some instructions within this guide are complex.
+All directions should be followed completely and with understanding of
+their effects in order to avoid serious adverse effects on the system
+and its security.
+</description>
+    <Group id="xccdf_org.ssgproject.content_group_general-principles">
+      <title xml:lang="en-US">General Principles</title>
+      <description xml:lang="en-US">
+The following general principles motivate much of the advice in this
+guide and should also influence any configuration decisions that are
+not explicitly covered.
+</description>
+      <Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">
+        <title xml:lang="en-US">Encrypt Transmitted Data Whenever Possible</title>
+        <description xml:lang="en-US">
+Data transmitted over a network, whether wired or wireless, is susceptible
+to passive monitoring. Whenever practical solutions for encrypting
+such data exist, they should be applied. Even if data is expected to
+be transmitted only over a local network, it should still be encrypted.
+Encrypting authentication data, such as passwords, is particularly
+important. Networks of Fedora machines can and should be configured
+so that no unencrypted authentication data is ever transmitted between
+machines.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_principle-minimize-software">
+        <title xml:lang="en-US">Minimize Software to Minimize Vulnerability</title>
+        <description xml:lang="en-US">
+The simplest way to avoid vulnerabilities in software is to avoid
+installing that software. On Fedora, the RPM Package Manager (originally
+Red Hat Package Manager, abbreviated RPM) allows for careful management of
+the set of software packages installed on a system. Installed software
+contributes to system vulnerability in several ways. Packages that
+include setuid programs may provide local attackers a potential path to
+privilege escalation. Packages that include network services may give
+this opportunity to network-based attackers. Packages that include
+programs which are predictably executed by local users (e.g. after
+graphical login) may provide opportunities for trojan horses or other
+attack code to be run undetected. The number of software packages
+installed on a system can almost always be significantly pruned to include
+only the software for which there is an environmental or operational need.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_principle-separate-servers">
+        <title xml:lang="en-US">Run Different Network Services on Separate Systems</title>
+        <description xml:lang="en-US">
+Whenever possible, a server should be dedicated to serving exactly one
+network service. This limits the number of other services that can
+be compromised in the event that an attacker is able to successfully
+exploit a software flaw in one network service.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools">
+        <title xml:lang="en-US">Configure Security Tools to Improve System Robustness</title>
+        <description xml:lang="en-US">
+Several tools exist which can be effectively used to improve a system's
+resistance to and detection of unknown attacks. These tools can improve
+robustness against attack at the cost of relatively little configuration
+effort. In particular, this guide recommends and discusses the use of
+Iptables for host-based firewalling, SELinux for protection against
+vulnerable services, and a logging and auditing infrastructure for
+detection of problems.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_principle-least-privilege">
+        <title xml:lang="en-US">Least Privilege</title>
+        <description xml:lang="en-US">
+Grant the least privilege necessary for user accounts and software to perform tasks.
+For example, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> can be implemented to limit authorization to super user
+accounts on the system only to designated personnel. Another example is to limit
+logins on server systems to only those administrators who need to log into them in
+order to perform administration tasks. Using SELinux also follows the principle of
+least privilege: SELinux policy can confine software to perform only actions on the
+system that are specifically allowed. This can be far more restrictive than the
+actions permissible by the traditional Unix permissions model.
+</description>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_how-to-use">
+      <title xml:lang="en-US">How to Use This Guide</title>
+      <description xml:lang="en-US">
+Readers should heed the following points when using the guide.
+</description>
+      <Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">
+        <title xml:lang="en-US">Read Sections Completely and in Order</title>
+        <description xml:lang="en-US">
+Each section may build on information and recommendations discussed in
+prior sections. Each section should be read and understood completely;
+instructions should never be blindly applied. Relevant discussion may
+occur after instructions for an action.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_intro-test-non-production">
+        <title xml:lang="en-US">Test in Non-Production Environment</title>
+        <description xml:lang="en-US">
+This guidance should always be tested in a non-production environment
+before deployment. This test environment should simulate the setup in
+which the system will be deployed as closely as possible.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">
+        <title xml:lang="en-US">Root Shell Environment Assumed</title>
+        <description xml:lang="en-US">
+Most of the actions listed in this document are written with the
+assumption that they will be executed by the root user running the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/bin/bash</xhtml:code> shell. Commands preceded with a hash mark (#)
+assume that the administrator will execute the commands as root, i.e.
+apply the command via <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> whenever possible, or use
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> to gain root privileges if <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> cannot be
+used. Commands which can be executed as a non-root user are are preceded
+by a dollar sign ($) prompt.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">
+        <title xml:lang="en-US">Formatting Conventions</title>
+        <description xml:lang="en-US">
+Commands intended for shell execution, as well as configuration file text,
+are featured in a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">monospace font</xhtml:code>. <i xmlns="http://www.w3.org/1999/xhtml">Italics</i> are used
+to indicate instances where the system administrator must substitute
+the appropriate information into a command or configuration file.
+</description>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_intro-reboot-required">
+        <title xml:lang="en-US">Reboot Required</title>
+        <description xml:lang="en-US">
+A system reboot is implicitly required after some actions in order to
+complete the reconfiguration of the system. In many cases, the changes
+will not take effect until a reboot is performed. In order to ensure
+that changes are applied properly and to test functionality, always
+reboot the system after applying a set of recommendations from this guide.
+</description>
+      </Group>
+    </Group>
+  </Group>
+  <Group id="xccdf_org.ssgproject.content_group_system">
+    <title xml:lang="en-US">System Settings</title>
+    <Group id="xccdf_org.ssgproject.content_group_settings">
+      <title xml:lang="en-US">General System Wide Configuration Settings</title>
+      <description xml:lang="en-US">The following sections contain information on
+various security-relevant configuration settings that in
+particular way modify the behaviour of the system as a whole.
+</description>
+      <Rule id="xccdf_org.ssgproject.content_rule_disable_prelink" selected="false" severity="low">
+        <title xml:lang="en-US">Prelinking Disabled</title>
+        <description xml:lang="en-US">
+The prelinking feature changes binaries in an attempt to decrease their startup
+time. In order to disable it, change or add the following line inside the file
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/prelink</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">PRELINKING=no</pre>
+Next, run the following command to return binaries to a normal, non-prelinked
+state:
+<pre xmlns="http://www.w3.org/1999/xhtml"># /sbin/prelink -ua</pre>
+</description>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+        <rationale xml:lang="en-US">
+The prelinking feature can interfere with the operation of checksum integrity
+tools (e.g. AIDE), because it modifies binaries to speed up their startup time.
+Also it makes the location of shared libraries very predictable, mitigating
+the efficiency of address space layout randomization (ASLR) protection mechanism.
+In addition, each upgrade of an application or a library requires prelink to be
+run again.
+</rationale>
+        <fix system="urn:xccdf:fix:script:sh">#
+# Disable prelinking altogether
+#
+if grep -q ^PRELINKING /etc/sysconfig/prelink
+then
+  sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
+else
+  echo -e "\n# Set PRELINKING=no per security requirements" &gt;&gt; /etc/sysconfig/prelink
+  echo "PRELINKING=no" &gt;&gt; /etc/sysconfig/prelink
+fi
+
+#
+# Undo previous prelink changes to binaries
+#
+/usr/sbin/prelink -ua
+</fix>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref name="oval:ssg:def:198" href="ssg-fedora-oval.xml"/>
+        </check>
+      </Rule>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_software">
+      <title xml:lang="en-US">Installing and Maintaining Software</title>
+      <description xml:lang="en-US">The following sections contain information on
+security-relevant choices during the initial operating system
+installation process and the setup of software
+updates.</description>
+      <Group id="xccdf_org.ssgproject.content_group_updating">
+        <title xml:lang="en-US">Updating Software</title>
+        <description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> command line tool is used to install and
+update software packages. The system also provides a graphical
+software update tool in the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu, in the <b xmlns="http://www.w3.org/1999/xhtml">Administration</b> submenu,
+called <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b>.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Fedora systems contain an installed software catalog called
+the RPM database, which records metadata of installed packages.  Tools such as
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> or the graphical <b xmlns="http://www.w3.org/1999/xhtml">Software Update</b> ensure usage of RPM
+packages for software installation.  This allows for insight into the current
+inventory of installed software on the system, and is highly recommended.
+</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_globally_activated" selected="false" severity="high">
+          <title xml:lang="en-US">gpgcheck Enabled In Main Yum Configuration</title>
+          <description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> option should be used to ensure
+checking of an RPM package's signature always occurs prior to its
+installation. To configure yum to check package signatures before installing
+them, ensure the following line appears in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> in
+the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
+<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">352</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">663</reference>
+          <rationale xml:lang="en-US">
+Ensuring the validity of packages' cryptographic signatures prior to
+installation ensures the provenance of the software and
+protects against malicious tampering.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:148" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="GPG checking is not enabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> is configured to use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code>,
+inspect <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.conf</xhtml:code> and ensure the following appears in the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">[main]</xhtml:code> section:
+<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=1</pre>
+A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">1</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> is enabled. Absence of a
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> line or a setting of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that it is
+disabled.
+</check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_ensure_gpgcheck_never_disabled" selected="false" severity="high">
+          <title xml:lang="en-US">gpgcheck Enabled For All Yum Package Repositories</title>
+          <description xml:lang="en-US">To ensure signature checking is not disabled for
+any repos, remove any lines from files in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> of the form:
+<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">MA-1(b)</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">352</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">663</reference>
+          <rationale xml:lang="en-US">
+Ensuring all packages' cryptographic signatures are valid prior to
+installation ensures the provenance of the software and
+protects against malicious tampering.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:124" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="GPG checking is disabled" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To determine whether <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">yum</xhtml:code> has been configured to disable
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> for any repos,  inspect all files in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/yum.repos.d</xhtml:code> and ensure the following does not appear in any
+sections:
+<pre xmlns="http://www.w3.org/1999/xhtml">gpgcheck=0</pre>
+A value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">0</xhtml:code> indicates that <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gpgcheck</xhtml:code> has been disabled for that repo.
+</check-content>
+          </check>
+        </Rule>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_integrity">
+        <title xml:lang="en-US">Software Integrity Checking</title>
+        <description xml:lang="en-US">
+Both the AIDE (Advanced Intrusion Detection Environment)
+software and the RPM package management system provide
+mechanisms for verifying the integrity of installed software.
+AIDE uses snapshots of file metadata (such as hashes) and compares these
+to current system files in order to detect changes.
+The RPM package management system can conduct integrity
+checks by comparing information in its metadata database with
+files installed on the system.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Integrity checking cannot <i xmlns="http://www.w3.org/1999/xhtml">prevent</i> intrusions,
+but can detect that they have occurred. Requirements
+for software integrity checking may be highly dependent on
+the environment in which the system will be used. Snapshot-based
+approaches such as AIDE may induce considerable overhead
+in the presence of frequent software updates.
+</description>
+        <Group id="xccdf_org.ssgproject.content_group_aide">
+          <title xml:lang="en-US">Verify Integrity with AIDE</title>
+          <description xml:lang="en-US">AIDE conducts integrity checks by comparing information about
+files with previously-gathered information. Ideally, the AIDE database is
+created immediately after initial system configuration, and then again after any
+software update.  AIDE is highly configurable, with further configuration
+information located in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/share/doc/aide-<i xmlns="http://www.w3.org/1999/xhtml">VERSION</i></xhtml:code>.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="false" severity="medium">
+            <title xml:lang="en-US">Install AIDE</title>
+            <description xml:lang="en-US">
+Install the AIDE package with the command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># yum install aide</pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1069</reference>
+            <rationale xml:lang="en-US">
+The AIDE package must be installed if it is to be available for integrity checking.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+
+    Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aide</xhtml:code> package is installed:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q aide</xhtml:pre>
+            </check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_aide_build_database" selected="false" severity="low">
+            <title xml:lang="en-US">Build and Test AIDE Database</title>
+            <description xml:lang="en-US">Run the following command to generate a new database:
+<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init</pre>
+By default, the database will be written to the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/lib/aide/aide.db.new.gz</xhtml:code>.
+Storing the database, the configuration file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/aide.conf</xhtml:code>, and the binary
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/usr/sbin/aide</xhtml:code> (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
+The newly-generated database can be installed as follows:
+<pre xmlns="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</pre>
+To initiate a manual check, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check</pre>
+If this check produces any unexpected output, investigate.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+            <rationale xml:lang="en-US">
+For AIDE to be effective, an initial database of "known-good" information about files
+must be captured and it should be able to be verified against the installed files.
+</rationale>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" selected="false" severity="medium">
+            <title xml:lang="en-US">Configure Periodic Execution of AIDE</title>
+            <description xml:lang="en-US">
+To implement a daily execution of AIDE at 4:05am using cron, add the following line to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/crontab</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">05 4 * * * root /usr/sbin/aide --check</pre>
+AIDE can be executed periodically through other means; this is merely one example.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-3(e)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">374</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">416</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1069</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1263</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1297</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1589</reference>
+            <rationale xml:lang="en-US">
+By default, AIDE does not install itself for periodic execution. Periodically
+running AIDE is necessary to reveal unexpected changes in installed files.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="there is no output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To determine that periodic AIDE execution has been scheduled, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep aide /etc/crontab</pre>
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_rpm_verification">
+          <title xml:lang="en-US">Verify Integrity with RPM</title>
+          <description xml:lang="en-US">The RPM package management system includes the ability
+to verify the integrity of installed packages by comparing the
+installed files with information about the files taken from the
+package metadata stored in the RPM database. Although an attacker
+could corrupt the RPM database (analogous to attacking the AIDE
+database as described above), this check can still reveal
+modification of important files. To list which files on the system differ from what is expected by the RPM database:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qVa</pre>
+See the man page for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpm</xhtml:code> to see a complete explanation of each column.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" selected="false" severity="low">
+            <title xml:lang="en-US">Verify and Correct File Permissions with RPM</title>
+            <description xml:lang="en-US">
+The RPM package management system can check file access
+permissions of installed software packages, including many that are
+important to system security.
+After locating a file with incorrect permissions, run the following command to determine which package owns it:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
+Next, run the following command to reset its permissions to
+the correct values:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm --setperms <i>PACKAGENAME</i></pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1493</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1494</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1495</reference>
+            <rationale xml:lang="en-US">
+Permissions on system binaries and configuration files that are too generous
+could allow an unauthorized user to gain privileges that they should not have.
+The permissions set by the vendor should be maintained. Any deviations from
+this baseline should be investigated.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+The following command will list which files on the system have permissions different from what
+is expected by the RPM database:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^.M'</pre>
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_rpm_verify_hashes" selected="false" severity="low">
+            <title xml:lang="en-US">Verify File Hashes with RPM</title>
+            <description xml:lang="en-US">The RPM package management system can check the hashes of
+installed software packages, including many that are important to system
+security. Run the following command to list which files on the system
+have hashes that differ from what is expected by the RPM database:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | grep '^..5'</pre>
+A "c" in the second column indicates that a file is a configuration file, which
+may appropriately be expected to change.  If the file was not expected to
+change, investigate the cause of the change using audit logs or other means.
+The package can then be reinstalled to restore the file.
+Run the following command to determine which package owns the file:
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -qf <i>FILENAME</i></pre>
+The package can be reinstalled from a yum repository using the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">yum reinstall <i>PACKAGENAME</i></pre>
+Alternatively, the package can be reinstalled from trusted media using the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">rpm -Uvh <i>PACKAGENAME</i></pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(d)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-6(3)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-7</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1496</reference>
+            <rationale xml:lang="en-US">
+The hashes of important files like system executables should match the
+information given by the RPM database. Executables with erroneous hashes could
+be a sign of nefarious activity on the system.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content> The following command will list which files on the system
+have file hashes different from what is expected by the RPM database.
+<pre xmlns="http://www.w3.org/1999/xhtml"># rpm -Va | awk '$1 ~ /..5/ &amp;&amp; $2 != "c"'</pre>
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_additional_security_software">
+          <title xml:lang="en-US">Additional Security Software</title>
+          <description xml:lang="en-US">
+Additional security software that is not provided or supported
+by Red Hat can be installed to provide complementary or duplicative
+security capabilities to those provided by the base platform.  Add-on
+software may not be appropriate for some specialized systems.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_install_hids" selected="false" severity="high">
+            <title xml:lang="en-US">Install Intrusion Detection Software</title>
+            <description xml:lang="en-US">
+The Red Hat platform includes a sophisticated auditing system
+and SELinux, which provide host-based intrusion detection capabilities.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-7</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1263</reference>
+            <rationale xml:lang="en-US">
+Host-based intrusion detection tools provide a system-level defense when an
+intruder gains access to a system or network.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="no host-based intrusion detection tools are installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+Inspect the system to determine if intrusion detection software has been installed.
+Verify this intrusion detection software is active.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_install_antivirus" selected="false" severity="low">
+            <title xml:lang="en-US">Install Virus Scanning Software</title>
+            <description xml:lang="en-US">
+Install virus scanning software, which uses signatures to search for the
+presence of viruses on the filesystem.
+The McAfee VirusScan Enterprise for Linux virus scanning tool is provided for DoD systems.
+Ensure virus definition files are no older than 7 days, or their last release.
+<!-- need info here on where DoD admins can go to get this -->
+Configure the virus scanning software to perform scans dynamically on all
+accessed files.  If this is not possible, configure the
+system to scan all altered files on the system on a daily
+basis. If the system processes inbound SMTP mail, configure the virus scanner
+to scan all received mail.
+<!-- what's the basis for the IAO language? would not failure of a check
+     imply a discussion, for every check in this document,
+     with the IAO (or SSO or ISSO or ISSM or whatever is the right acronym in your
+     particular neighborhood) should occur? -->
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-28</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SI-3</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1239</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">1668</reference>
+            <rationale xml:lang="en-US">
+Virus scanning software can be used to detect if a system has been compromised by
+computer viruses, as well as to limit their spread to other systems.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:164" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="virus scanning software does not run continuously, or at least daily, or has signatures that are out of date" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+Inspect the system for a cron job or system service which executes
+a virus scanning tool regularly.
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+<!-- this should be handled as DoD-specific text in a future revision -->
+To verify the McAfee VSEL system service is operational,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># /etc/init.d/nails status</pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+To check on the age of uvscan virus definition files, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># cd /opt/NAI/LinuxShield/engine/dat
+# ls -la avvscan.dat avvnames.dat avvclean.dat</pre>
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_permissions">
+      <title xml:lang="en-US">File Permissions and Masks</title>
+      <description xml:lang="en-US">Traditional Unix security relies heavily on file and
+directory permissions to prevent unauthorized users from reading or
+modifying files to which they should not have access.
+</description>
+      <Group id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs">
+        <title xml:lang="en-US">Verify File Permissions Within Some Important Directories</title>
+        <description xml:lang="en-US">Some directories contain files whose confidentiality or integrity
+is notably important and may also be susceptible to misconfiguration over time,
+particularly if unpackaged software is installed. As such, an argument exists
+to verify that files' permissions within these directories remain configured
+correctly and restrictively.
+</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" selected="false" severity="medium">
+          <title xml:lang="en-US">Shared Library Files Have Restrictive Permissions</title>
+          <description xml:lang="en-US">System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+<pre xmlns="http://www.w3.org/1999/xhtml">/lib
+/lib64
+/usr/lib
+/usr/lib64
+</pre>
+Kernel modules, which can be added to the kernel during runtime, are stored in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should not be
+group-writable or world-writable. If any file in these directories is found to
+be group-writable or world-writable, correct its permission with the following
+command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1499</reference>
+          <rationale xml:lang="en-US">Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Restrictive permissions are necessary to protect the integrity of the
+system.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:190" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" selected="false" severity="medium">
+          <title xml:lang="en-US">Shared Library Files Have Root Ownership</title>
+          <description xml:lang="en-US">System-wide shared library files, which are linked to executables
+during process load time or run time, are stored in the following directories
+by default:
+<pre xmlns="http://www.w3.org/1999/xhtml">/lib
+/lib64
+/usr/lib
+/usr/lib64
+</pre>
+Kernel modules, which can be added to the kernel during runtime, are also
+stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/lib/modules</xhtml:code>. All files in these directories should be owned
+by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If the directory, or any file in these directories,
+is found to be owned by a user other than root correct its ownership with the
+following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1499</reference>
+          <rationale xml:lang="en-US">Files from shared library directories are loaded into the address
+space of processes (including privileged ones) or of the kernel itself at
+runtime. Proper ownership is necessary to protect the integrity of the system.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:207" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" selected="false" severity="medium">
+          <title xml:lang="en-US">System Executables Have Restrictive Permissions</title>
+          <description xml:lang="en-US">
+System executables are stored in the following directories by default:
+<pre xmlns="http://www.w3.org/1999/xhtml">/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin</pre>
+All files in these directories should not be group-writable or world-writable.
+If any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be group-writable or
+world-writable, correct its permission with the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># chmod go-w <i>FILE</i></pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1499</reference>
+          <rationale xml:lang="en-US">System binaries are executed by privileged users, as well as system
+services, and restrictive permissions are necessary to ensure execution of
+these programs cannot be co-opted.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:137" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" selected="false" severity="medium">
+          <title xml:lang="en-US">System Executables Have Root Ownership</title>
+          <description xml:lang="en-US">
+System executables are stored in the following directories by default:
+<pre xmlns="http://www.w3.org/1999/xhtml">/bin
+/usr/bin
+/usr/local/bin
+/sbin
+/usr/sbin
+/usr/local/sbin</pre>
+All files in these directories should be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user. If
+any file <i xmlns="http://www.w3.org/1999/xhtml">FILE</i> in these directories is found to be owned by a user other
+than root, correct its ownership with the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># chown root <i>FILE</i></pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1499</reference>
+          <rationale xml:lang="en-US">System binaries are executed by privileged users as well as system
+services, and restrictive permissions are necessary to ensure that their
+execution of these programs cannot be co-opted.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:161" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_accounts">
+      <title xml:lang="en-US">Account and Access Control</title>
+      <description xml:lang="en-US">In traditional Unix security, if an attacker gains
+shell access to a certain login account, they can perform any action
+or access any file to which that account has access. Therefore,
+making it more difficult for unauthorized people to gain shell
+access to accounts, particularly to privileged accounts, is a
+necessary part of securing a system. This section introduces
+mechanisms for restricting access to accounts under Fedora.
+</description>
+      <Group id="xccdf_org.ssgproject.content_group_accounts-restrictions">
+        <title xml:lang="en-US">Protect Accounts by Restricting Password-Based Login</title>
+        <description xml:lang="en-US">Conventionally, Unix shell accounts are accessed by
+providing a username and password to a login program, which tests
+these values for correctness using the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> files. Password-based login is vulnerable to
+guessing of weak passwords, and to sniffing and man-in-the-middle
+attacks against passwords entered over a network or at an insecure
+console. Therefore, mechanisms for accessing accounts by entering
+usernames and passwords should be restricted to those which are
+operationally necessary.</description>
+        <Group id="xccdf_org.ssgproject.content_group_root_logins">
+          <title xml:lang="en-US">Restrict Root Logins</title>
+          <description xml:lang="en-US">
+Direct root logins should be allowed only for emergency use.
+In normal situations, the administrator should access the system
+via a unique unprivileged account, and then use <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sudo</xhtml:code> to execute
+privileged commands. Discouraging administrators from accessing the
+root account directly ensures an audit trail in organizations with
+multiple administrators. Locking down the channels through which
+root can connect directly also reduces opportunities for
+password-guessing against the root account. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> program
+uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> to determine which interfaces
+should allow root logins.
+
+The virtual devices <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/console</xhtml:code>
+and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/tty*</xhtml:code> represent the system consoles (accessible via
+the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
+installation). The default securetty file also contains <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/vc/*</xhtml:code>.
+These are likely to be deprecated in most environments, but may be retained
+for compatibility. Furthermore, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvc*</xhtml:code> represent virtio-serial
+consoles, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/hvsi*</xhtml:code> IBM pSeries serial consoles, and finally
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/dev/xvc0</xhtml:code> Xen virtual console. Root should also be prohibited
+from connecting via network protocols. Other sections of this document
+include guidance describing how to prevent root from logging in via SSH.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="false" severity="medium">
+            <title xml:lang="en-US">Direct root Logins Not Allowed</title>
+            <description xml:lang="en-US">To further limit access to the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> account, administrators
+can disable root logins at the console by editing the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file.
+This file lists all devices the root user is allowed to login to. If the file does
+not exist at all, the root user can login through any communication device on the
+system, whether via the console or via a raw network interface. This is dangerous
+as user can login to his machine as root via Telnet, which sends the password in
+plain text over the network. By default, Fedora's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code> file
+only allows the root user to login at the console physically attached to the
+machine. To prevent root from logging in, remove the contents of this file.
+To prevent direct root logins, remove the contents of this file by typing the
+following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">
+echo &gt; /etc/securetty
+</pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
+            <rationale xml:lang="en-US">
+Disabling direct root logins ensures proper accountability and multifactor
+authentication to privileged accounts. Users will first login, then escalate
+to privileged (root) access via su / sudo. This scenario is nowadays required
+by security standards.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="the /etc/securetty file is not empty" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To ensure root may not directly login to the system over physical consoles,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">cat /etc/securetty</pre>
+If any output is returned, this is a finding.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" selected="false" severity="medium">
+            <title xml:lang="en-US">Virtual Console Root Logins Restricted</title>
+            <description xml:lang="en-US">
+To restrict root logins through the (deprecated) virtual console devices,
+ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">vc/1
+vc/2
+vc/3
+vc/4</pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">770</reference>
+            <rationale xml:lang="en-US">
+Preventing direct root login to virtual console devices
+helps ensure accountability for actions taken on the system
+using the root account.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:144" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="root login over virtual console devices is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check for virtual console entries which permit root login, run the
+following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^vc/[0-9] /etc/securetty</pre>
+If any output is returned, then root logins over virtual console devices is permitted.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" selected="false" severity="low">
+            <title xml:lang="en-US">Serial Port Root Logins Restricted</title>
+            <description xml:lang="en-US">To restrict root logins on serial ports,
+ensure lines of this form do not appear in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/securetty</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">ttyS0
+ttyS1</pre>
+<!-- TODO: discussion/description of serial port -->
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">770</reference>
+            <rationale xml:lang="en-US">
+Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:159" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="root login over serial ports is permitted" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check for serial port entries which permit root login,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep ^ttyS/[0-9] /etc/securetty</pre>
+If any output is returned, then root login over serial ports is permitted.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_root_webbrowsing" selected="false" severity="low">
+            <title xml:lang="en-US">Web Browser Use for Administrative Accounts Restricted</title>
+            <description xml:lang="en-US">
+Enforce policy requiring administrative accounts use web browsers only for
+local service administration.
+</description>
+            <rationale xml:lang="en-US">
+If a browser vulnerability is exploited while running with administrative privileges,
+the entire system could be compromised. Specific exceptions for local service
+administration should be documented in site-defined policy.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="this is not the case" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+Check the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> home directory for a <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.mozilla</xhtml:code> directory. If
+one exists, ensure browsing is limited to local service administration.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="false" severity="medium">
+            <title xml:lang="en-US">System Accounts Do Not Run a Shell Upon Login</title>
+            <description xml:lang="en-US">
+Some accounts are not associated with a human
+user of the system, and exist to perform some administrative
+function. Should an attacker be able to log into these accounts,
+they should not be granted access to a shell.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The login shell for each local account is stored in the last field of each line
+in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>. System accounts are those user accounts with a user ID less than
+500. The user ID is stored in the third field.
+If any system account <i xmlns="http://www.w3.org/1999/xhtml">SYSACCT</i> (other than root) has a login shell,
+disable it with the command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin <i>SYSACCT</i></pre>
+</description>
+            <warning xml:lang="en-US" override="false" category="functionality">
+Do not perform the steps in this
+section on the root account. Doing so might cause the system to
+become inaccessible.
+</warning>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
+            <reference href="http://iase.disa.mil/cci/index.html">178</reference>
+            <rationale xml:lang="en-US">
+Ensuring shells are not given to system accounts upon login
+makes it more difficult for attackers to make use of
+system accounts.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:210" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="any system account (other than root) has a login shell" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To obtain a listing of all users,
+their UIDs, and their shells, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd</pre>
+Identify the system accounts from this listing. These will
+primarily be the accounts with UID numbers less than 500, other
+than root.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_uidzero_except_root" selected="false" severity="medium">
+            <title xml:lang="en-US">Only Root Has UID 0</title>
+            <description xml:lang="en-US">
+If any account other than root has a UID of 0,
+this misconfiguration should be investigated and the
+accounts other than root should be removed or have their UID changed.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">366</reference>
+            <rationale xml:lang="en-US">
+An account has root authority if it has a UID of 0. Multiple accounts
+with a UID of 0 afford more opportunity for potential intruders to
+guess a password for a privileged account. Proper configuration of
+sudo is recommended to afford multiple system administrators
+access to root privileges in an accountable manner.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:181" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="any account other than root has a UID of 0" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To list all password file entries for accounts with UID 0, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd</pre>
+This should print only one line, for the user root.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_root_path_default" selected="false" severity="low">
+            <title xml:lang="en-US">Root Path Is Vendor Default</title>
+            <description xml:lang="en-US">
+Assuming root shell is bash, edit the following files:
+<pre xmlns="http://www.w3.org/1999/xhtml">~/.profile</pre>
+<pre xmlns="http://www.w3.org/1999/xhtml">~/.bashrc</pre>
+Change any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> variables to the vendor default for root and remove any
+empty <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> entries or references to relative paths.
+</description>
+            <rationale xml:lang="en-US">
+The root account's executable search path must be the vendor default, and must
+contain only absolute paths.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="any of these conditions are not met" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To view the root user's <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code>, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># env | grep PATH</pre>
+If correctly configured, the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH</xhtml:code> must: use vendor default settings,
+have no empty entries, and have no entries beginning with a character
+other than a slash (/).
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_password_storage">
+          <title xml:lang="en-US">Proper Storage and Existence of Password Hashes</title>
+          <description xml:lang="en-US">
+By default, password hashes for local accounts are stored
+in the second field (colon-separated) in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code>. This file should be readable only by
+processes running with root credentials, preventing users from
+casually accessing others' password hashes and attempting
+to crack them.
+However, it remains possible to misconfigure the system
+and store password hashes
+in world-readable files such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, or
+to even store passwords themselves in plaintext on the system.
+Using system-provided tools for password change/creation
+should allow administrators to avoid such misconfiguration.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="false" severity="high">
+            <title xml:lang="en-US">Log In to Accounts With Empty Password Impossible</title>
+            <description xml:lang="en-US">If an account is configured for password authentication
+but does not have an assigned password, it may be possible to log
+into the account without authentication. Remove any instances of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nullok</xhtml:code>
+option in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/pam.d/system-auth</xhtml:code> to
+prevent logins with empty passwords.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(b)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(c)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
+            <rationale xml:lang="en-US">
+If an account has an empty password, anyone could log in and
+run commands with the privileges of that account. Accounts with
+empty passwords should never be used in operational
+environments.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:200" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="NULL passwords can be used" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To verify that null passwords cannot be used, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep nullok /etc/pam.d/system-auth</pre>
+If this produces any output, it may be possible to log into accounts
+with empty passwords.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_hashes_outside_shadow" selected="false" severity="medium">
+            <title xml:lang="en-US">Password Hashes For Each Account Shadowed</title>
+            <description xml:lang="en-US">
+If any password hashes are stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> (in the second field,
+instead of an <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">x</xhtml:code>), the cause of this misconfiguration should be
+investigated.  The account should have its password reset and the hash should be
+properly stored, or the account should be deleted entirely.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">201</reference>
+            <rationale xml:lang="en-US">
+The hashes for all user account passwords should be stored in
+the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/shadow</xhtml:code> and never in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>,
+which is readable by all users.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:175" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="any stored hashes are found in /etc/passwd" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check that no password hashes are stored in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd</pre>
+If it produces any output, then a password hash is
+stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code>.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" selected="false" severity="low">
+            <title xml:lang="en-US">All GIDs referenced in /etc/passwd Defined in /etc/group</title>
+            <description xml:lang="en-US">
+Add a group to the system for each GID referenced without a corresponding group.
+</description>
+            <reference href="http://iase.disa.mil/cci/index.html">366</reference>
+            <rationale xml:lang="en-US">
+Inconsistency in GIDs between <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code> could lead to a user having unintended rights.
+</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To ensure all GIDs referenced in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/passwd</xhtml:code> are defined in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/group</xhtml:code>,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># pwck -qr</pre>
+There should be no output.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="false" severity="medium">
+            <title xml:lang="en-US">netrc Files Do Not Exist</title>
+            <description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files contain login information
+used to auto-login into FTP servers and reside in the user's home
+directory. These files may contain unencrypted passwords to
+remote FTP servers making them susceptible to access by unauthorized
+users and should not be used.  Any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files should be removed.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(h)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">196</reference>
+            <rationale xml:lang="en-US">
+Unencrypted passwords for remote FTP servers may be stored in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code>
+files. DoD policy requires passwords be encrypted in storage and not used
+in access scripts.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:129" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="any .netrc files exist" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the system for the existence of any <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">.netrc</xhtml:code> files,
+run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># find /home -xdev -name .netrc</pre>
+<!-- needs fixup to limit search to home dirs -->
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_password_expiration">
+          <title xml:lang="en-US">Set Password Expiration Parameters</title>
+          <description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> controls several
+password-related settings. Programs such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">passwd</xhtml:code>,
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">su</xhtml:code>, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login</xhtml:code> consult <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> to determine
+behavior with regard to password aging, expiration warnings,
+and length. See the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">login.defs(5)</xhtml:code> for more information.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Users should be forced to change their passwords, in order to
+decrease the utility of compromised passwords. However, the need to
+change passwords often should be balanced against the risk that
+users will reuse or write down passwords if forced to change them
+too often. Forcing password changes every 90-360 days, depending on
+the environment, is recommended. Set the appropriate value as
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS</xhtml:code> and apply it to existing accounts with the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-M</xhtml:code> flag.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-m</xhtml:code>) setting prevents password
+changes for 7 days after the first change, to discourage password
+cycling. If you use this setting, train users to contact an administrator
+for an emergency password change in case a new password becomes
+compromised. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PASS_WARN_AGE</xhtml:code> (<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-W</xhtml:code>) setting gives
+users 7 days of warnings at login time that their passwords are about to expire.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+For example, for each existing human user <i xmlns="http://www.w3.org/1999/xhtml">USER</i>, expiration parameters
+could be adjusted to a 180 day maximum password age, 7 day minimum password
+age, and 7 day warning period with the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER</pre>
+</description>
+          <Value id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" type="number">
+            <title xml:lang="en-US">minimum password length</title>
+            <description xml:lang="en-US">Minimum number of characters in password</description>
+            <warning xml:lang="en-US" override="false" category="general">This will only check new passwords</warning>
+            <value>12</value>
+            <value selector="6">6</value>
+            <value selector="8">8</value>
+            <value selector="10">10</value>
+            <value selector="12">12</value>
+            <value selector="14">14</value>
+          </Value>
+          <Value id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" type="number">
+            <title xml:lang="en-US">maximum password age</title>
+            <description xml:lang="en-US">Maximum age of password in days</description>
+            <warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
+            <value>60</value>
+            <value selector="60">60</value>
+            <value selector="90">90</value>
+            <value selector="120">120</value>
+            <value selector="180">180</value>
+          </Value>
+          <Value id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" type="number">
+            <title xml:lang="en-US">minimum password age</title>
+            <description xml:lang="en-US">Minimum age of password in days</description>
+            <warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
+            <value>7</value>
+            <value selector="7">7</value>
+            <value selector="5">5</value>
+            <value selector="1">1</value>
+            <value selector="2">2</value>
+            <value selector="0">0</value>
+          </Value>
+          <Value id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" type="number">
+            <title xml:lang="en-US">warning days before password expires</title>
+            <description xml:lang="en-US">The number of days' warning given before a password expires.</description>
+            <warning xml:lang="en-US" override="false" category="general">This will only apply to newly created accounts</warning>
+            <value>7</value>
+            <value selector="0">0</value>
+            <value selector="7">7</value>
+            <value selector="14">14</value>
+          </Value>
+          <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" selected="false" severity="medium">
+            <title xml:lang="en-US">Password Minimum Length</title>
+            <description xml:lang="en-US">To specify password length requirements for new accounts,
+edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b>LENGTH</b></pre>
+and correct it to have the form of:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_LEN <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></b></pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+Nowadays recommended values, considered as secure by various organizations
+focused on topic of computer security, range from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12 (FISMA)</xhtml:code> up to
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">14 (DoD)</xhtml:code> characters for password length requirements.
+If a program consults <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code> and also another PAM module
+(such as <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">pam_cracklib</xhtml:code>) during a password change operation,
+then the most restrictive must be satisfied. See PAM section
+for more information about enforcing password quality requirements.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(a)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">205</reference>
+            <rationale xml:lang="en-US">
+Requiring a minimum password length makes password
+cracking attacks more difficult by ensuring a larger
+search space. However, any security benefit from an onerous requirement
+must be carefully weighed against usability problems, support costs, or
+counterproductive behavior that may result.
+</rationale>
+            <fix system="urn:xccdf:fix:script:sh">var_accounts_password_minlen_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/>"
+grep -q ^PASS_MIN_LEN /etc/login.defs &amp;&amp; \
+sed -i "s/PASS_MIN_LEN.*/PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+  echo -e "PASS_MIN_LEN\t$var_accounts_password_minlen_login_defs" &gt;&gt; /etc/login.defs
+fi
+</fix>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-export export-name="oval:ssg:var:281" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/>
+              <check-content-ref name="oval:ssg:def:155" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the minimum password length, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_LEN /etc/login.defs</pre>
+Passwords of length <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">12</xhtml:code> characters and more are nowadays
+considered to be a standard requirement.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" selected="false" severity="medium">
+            <title xml:lang="en-US">Password Minimum Age</title>
+            <description xml:lang="en-US">To specify password minimum age for new accounts,
+edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b>DAYS</b></pre>
+and correct it to have the form of:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MIN_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></b></pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+A value greater than 1 day is considered to be sufficient for many environments.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">198</reference>
+            <rationale xml:lang="en-US">
+Setting the minimum password age protects against users cycling
+back to a favorite password after satisfying the password reuse
+requirement.
+</rationale>
+            <fix system="urn:xccdf:fix:script:sh">var_accounts_minimum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/>"
+grep -q ^PASS_MIN_DAYS /etc/login.defs &amp;&amp; \
+sed -i "s/PASS_MIN_DAYS.*/PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+  echo -e "PASS_MIN_DAYS\t$var_accounts_minimum_age_login_defs" &gt;&gt; /etc/login.defs
+fi
+</fix>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-export export-name="oval:ssg:var:279" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/>
+              <check-content-ref name="oval:ssg:def:135" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the minimum password age, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MIN_DAYS /etc/login.defs</pre>
+A value greater than 1 day is considered to be sufficient for many environments.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="false" severity="medium">
+            <title xml:lang="en-US">Password Maximum Age</title>
+            <description xml:lang="en-US">To specify password maximum age for new accounts,
+edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b>DAYS</b></pre>
+and correct it to have the form of:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_MAX_DAYS <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></b></pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+A value less than 180 days is sufficient for many environments.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(g)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(1)(d)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">180</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">199</reference>
+            <rationale xml:lang="en-US">
+Setting the password maximum age ensures users are required to
+periodically change their passwords. This could possibly decrease
+the utility of a stolen password. Requiring shorter password lifetimes
+increases the risk of users writing down the password in a convenient
+location subject to physical compromise.</rationale>
+            <fix system="urn:xccdf:fix:script:sh">var_accounts_maximum_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/>"
+grep -q ^PASS_MAX_DAYS /etc/login.defs &amp;&amp; \
+sed -i "s/PASS_MAX_DAYS.*/PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+  echo -e "PASS_MAX_DAYS\t$var_accounts_maximum_age_login_defs" &gt;&gt; /etc/login.defs
+fi
+</fix>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-export export-name="oval:ssg:var:282" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/>
+              <check-content-ref name="oval:ssg:def:157" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the maximum password age, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_MAX_DAYS /etc/login.defs</pre>
+A value less than 180 days is sufficient for many environments.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" selected="false" severity="low">
+            <title xml:lang="en-US">Password Warning Age</title>
+            <description xml:lang="en-US">To specify how many days prior to password
+expiration that a warning will be issued to users,
+edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/login.defs</xhtml:code>, locate the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b>DAYS</b></pre>
+and correct it to have the form of:
+<pre xmlns="http://www.w3.org/1999/xhtml">PASS_WARN_AGE <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></b></pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+A value of 7 days would be nowadays considered to be a standard.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(f)</reference>
+            <rationale xml:lang="en-US">
+Setting the password warning age enables users to make the change
+at a practical time.
+</rationale>
+            <fix system="urn:xccdf:fix:script:sh">var_accounts_password_warn_age_login_defs="<sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/>"
+grep -q ^PASS_WARN_AGE /etc/login.defs &amp;&amp; \
+sed -i "s/PASS_WARN_AGE.*/PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs/g" /etc/login.defs
+if ! [ $? -eq 0 ]
+then
+  echo -e "PASS_WARN_AGE\t$var_accounts_password_warn_age_login_defs" &gt;&gt; /etc/login.defs
+fi
+</fix>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-export export-name="oval:ssg:var:280" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/>
+              <check-content-ref name="oval:ssg:def:142" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it is not set to the required value" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the password warning age, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PASS_WARN_AGE /etc/login.defs</pre>
+A value of 7 days would be nowadays considered to be a standard.
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_accounts-physical">
+        <title xml:lang="en-US">Protect Physical Console Access</title>
+        <description xml:lang="en-US">It is impossible to fully protect a system from an
+attacker with physical access, so securing the space in which the
+system is located should be considered a necessary step. However,
+there are some steps which, if taken, make it more difficult for an
+attacker to quickly or undetectably modify a system from its
+console.</description>
+        <Group id="xccdf_org.ssgproject.content_group_bootloader">
+          <title xml:lang="en-US">Set Boot Loader Password</title>
+          <description xml:lang="en-US">During the boot process, the boot loader is
+responsible for starting the execution of the kernel and passing
+options to it. The boot loader allows for the selection of
+different kernels - possibly on different partitions or media.
+The default Fedora boot loader for x86 systems is called GRUB2.
+Options it can pass to the kernel include <i xmlns="http://www.w3.org/1999/xhtml">single-user mode</i>, which
+provides root access without any authentication, and the ability to
+disable SELinux. To prevent local users from modifying the boot
+parameters and endangering security, protect the boot loader configuration
+with a password and ensure its configuration file's permissions
+are set properly.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_file_user_owner_grub2_cfg" selected="false" severity="medium">
+            <title xml:lang="en-US">Verify /boot/grub2/grub.cfg User Ownership</title>
+            <description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
+be owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> user to prevent destruction
+or modification of the file.
+
+    To properly set the owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chown root/boot/grub2/grub.cfg</xhtml:pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
+            <reference href="http://iase.disa.mil/cci/index.html">225</reference>
+            <rationale xml:lang="en-US">
+Only root should be able to modify important boot parameters.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:139" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+
+    To check the ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
+    If properly configured, the output should indicate the following owner:
+    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
+            </check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_file_group_owner_grub2_cfg" selected="false" severity="medium">
+            <title xml:lang="en-US">Verify /boot/grub2/grub.cfg Group Ownership</title>
+            <description xml:lang="en-US">The file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should
+be group-owned by the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group to prevent
+destruction or modification of the file.
+
+    To properly set the group owner of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chgrp root/boot/grub2/grub.cfg</xhtml:pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
+            <reference href="http://iase.disa.mil/cci/index.html">225</reference>
+            <rationale xml:lang="en-US">
+The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:126" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+
+    To check the group ownership of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ls -lL /boot/grub2/grub.cfg</xhtml:pre>
+    If properly configured, the output should indicate the following group-owner.
+    <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">root</xhtml:code>
+            </check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg" selected="false" severity="medium">
+            <title xml:lang="en-US">Verify /boot/grub2/grub.cfg Permissions</title>
+            <description xml:lang="en-US">File permissions for <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code> should be set to 600, which
+is the default.
+
+    To properly set the permissions of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/boot/grub2/grub.cfg</xhtml:code>, run the command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve"># chmod 600/boot/grub2/grub.cfg</xhtml:pre>
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf"/>
+            <reference href="http://iase.disa.mil/cci/index.html">225</reference>
+            <rationale xml:lang="en-US">
+Proper permissions ensure that only the root user can modify important boot
+parameters.
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:152" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To check the permissions of /boot/grub2/grub.cfg, run the command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ sudo ls -lL /boot/grub2/grub.cfg</pre>
+If properly configured, the output should indicate the following
+permissions: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">-rw-------</xhtml:code>
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_bootloader_password" selected="false" severity="medium">
+            <title xml:lang="en-US">Set Boot Loader Password</title>
+            <description xml:lang="en-US">The grub2 boot loader should have a superuser account and password
+protection enabled to protect boot-time settings.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+To do so, select a superuser account and password and add them into the
+appropriate grub2 configuration file(s) under <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code>.
+Since plaintext passwords are a security risk, generate a hash for the pasword
+by running the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grub2-mkpasswd-pbkdf2</pre>
+When prompted, enter the password that was selected and insert the returned
+password hash into the appropriate grub2 configuration file(s) under
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/grub.d</xhtml:code> immediately after the superuser account.
+(Use the output from <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub2-mkpasswd-pbkdf2</xhtml:code> as the value of
+<b xmlns="http://www.w3.org/1999/xhtml">password-hash</b>):
+<pre xmlns="http://www.w3.org/1999/xhtml">password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
+NOTE: It is recommended not to use common administrator account names like root,
+admin, or administrator for the grub2 superuser account.
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+To meet FISMA Moderate, the bootloader superuser account and password MUST
+differ from the root account and password.
+Once the superuser account and password have been added, update the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file by running:
+<pre xmlns="http://www.w3.org/1999/xhtml">grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
+NOTE: Do NOT manually add the superuser account and password to the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">grub.cfg</xhtml:code> file as the grub2-mkconfig command overwrites this file.
+</description>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
+            <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-5(e)</reference>
+            <reference href="http://iase.disa.mil/cci/index.html">213</reference>
+            <rationale xml:lang="en-US">
+Password protection on the boot loader configuration ensures
+users with physical access cannot trivially alter
+important bootloader settings. These include which kernel to use,
+and whether to enter single-user mode. For more information on how to configure
+the grub2 superuser account and password, please refer to
+<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sec-GRUB_2_Password_Protection.html</li>.
+</ul>
+</rationale>
+            <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <check-content-ref name="oval:ssg:def:193" href="ssg-fedora-oval.xml"/>
+            </check>
+            <check system="ocil-transitional">
+              <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To verify the boot loader superuser account and superuser account password have
+been set, and the password encrypted, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">sudo grep -A1 "superusers\|password" /etc/grub2.cfg</pre>
+The output should show the following:
+<pre xmlns="http://www.w3.org/1999/xhtml">set superusers="<b>superusers-account</b>"
+password_pbkdf2 <b>superusers-account</b> <b>password-hash</b></pre>
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Rule id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="false" severity="medium">
+          <title xml:lang="en-US">Require Authentication for Single User Mode</title>
+          <description xml:lang="en-US">Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup. By default, no authentication
+is performed if single-user mode is selected.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+To require entry of the root password even if the system is
+started in single-user mode, add or correct the following line in the
+file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/init</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">213</reference>
+          <rationale xml:lang="en-US">
+This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the output is different" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To check if authentication is required for single-user mode, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep SINGLE /etc/sysconfig/init</pre>
+The output should be the following:
+<pre xmlns="http://www.w3.org/1999/xhtml">SINGLE=/sbin/sulogin</pre>
+</check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="false" severity="high">
+          <title xml:lang="en-US">Disable Ctrl-Alt-Del Reboot Activation</title>
+          <description xml:lang="en-US">
+By default, the system includes the following line in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>
+to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
+<pre xmlns="http://www.w3.org/1999/xhtml">exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</pre>
+<br xmlns="http://www.w3.org/1999/xhtml"/>
+To configure the system to log a message instead of
+rebooting the system, alter that line to read as follows:
+<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
+</description>
+          <rationale xml:lang="en-US">
+A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
+can reboot the system. If accidentally pressed, as could happen in
+the case of mixed OS environment, this can create the risk of short-term
+loss of availability of systems due to unintentional reboot.
+In the GNOME graphical environment, risk of unintentional reboot from the
+Ctrl-Alt-Del sequence is reduced because the user will be
+prompted before any action is taken.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the system is configured to run the shutdown command" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To ensure the system is configured to log a message instead of rebooting the system when
+Ctrl-Alt-Del is pressed, ensure the following line is in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/init/control-alt-delete.conf</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre>
+</check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_disable_interactive_boot" selected="false" severity="medium">
+          <title xml:lang="en-US">Disable Interactive Boot</title>
+          <description xml:lang="en-US">
+To disable the ability for users to perform interactive startups,
+edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/init</xhtml:code>.
+Add or correct the line:
+<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
+The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PROMPT</xhtml:code> option allows the console user to perform an
+interactive system startup, in which it is possible to select the
+set of services which are started on boot.
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">SC-2</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">213</reference>
+          <rationale xml:lang="en-US">
+Using interactive boot,
+the console user could disable auditing, firewalls, or other
+services, weakening system security.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To check whether interactive boot is disabled, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ grep PROMPT /etc/sysconfig/init</pre>
+If interactive boot is disabled, the output will show:
+<pre xmlns="http://www.w3.org/1999/xhtml">PROMPT=no</pre>
+</check-content>
+          </check>
+        </Rule>
+        <Group id="xccdf_org.ssgproject.content_group_screen_locking">
+          <title xml:lang="en-US">Configure Screen Locking</title>
+          <description xml:lang="en-US">When a user must temporarily leave an account
+logged-in, screen locking should be employed to prevent passersby
+from abusing the account. User education and training is
+particularly important for screen locking to be effective, and policies
+can be implemented to reinforce this.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Automatic screen locking is only meant as a safeguard for
+those cases where a user forgot to lock the screen.</description>
+          <Group id="xccdf_org.ssgproject.content_group_gui_screen_locking">
+            <title xml:lang="en-US">Configure GUI Screen Locking</title>
+            <description xml:lang="en-US">In the default GNOME desktop, the screen can be locked
+by choosing <b xmlns="http://www.w3.org/1999/xhtml">Lock Screen</b> from the <b xmlns="http://www.w3.org/1999/xhtml">System</b> menu.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gconftool-2</xhtml:code> program can be used to enforce mandatory
+screen locking settings for the default GNOME environment.
+The
+following sections detail commands to enforce idle activation of the screen saver,
+screen locking, a blank-screen screensaver, and an idle
+activation time.
+
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Because users should be trained to lock the screen when they
+step away from the computer, the automatic locking feature is only
+meant as a backup. The Lock Screen icon from the System menu can
+also be dragged to the taskbar in order to facilitate even more
+convenient screen-locking.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The root account cannot be screen-locked, but this should
+<!-- TODO: is this still true? -->have no practical effect as the root account should <i xmlns="http://www.w3.org/1999/xhtml">never</i> be used
+to log into an X Windows environment, and should only be used to
+for direct login via console in emergency circumstances.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+For more information about configuring GNOME screensaver, see
+http://live.gnome.org/GnomeScreensaver. For more information about
+enforcing preferences in the GNOME environment using the GConf
+configuration system, see http://projects.gnome.org/gconf and
+the man page <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">gconftool-2(1)</xhtml:code>.</description>
+            <Value id="xccdf_org.ssgproject.content_value_inactivity_timeout_value" operator="equals" type="number">
+              <title xml:lang="en-US">Inactivity timeout</title>
+              <description xml:lang="en-US">Choose allowed duration of inactive SSH connections, shells, and X sessions</description>
+              <value>15</value>
+              <value selector="5_minutes">5</value>
+              <value selector="10_minutes">10</value>
+              <value selector="15_minutes">15</value>
+            </Value>
+            <Rule id="xccdf_org.ssgproject.content_rule_set_screensaver_inactivity_timeout" selected="false" severity="medium">
+              <title xml:lang="en-US">Set GNOME Login Inactivity Timeout</title>
+              <description xml:lang="en-US">
+Run the following command to set the idle time-out value for
+inactivity in the GNOME desktop to 15 minutes:
+<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 \
+  --direct \
+  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+  --type int \
+  --set /apps/gnome-screensaver/idle_delay 15</pre>
+</description>
+              <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">57</reference>
+              <rationale xml:lang="en-US">
+Setting the idle delay controls when the
+screensaver will start, and can be combined with
+screen locking to prevent access from passersby.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>
+To check the current idle time-out value, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/idle_delay</pre>
+If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">15</xhtml:code>.
+</check-content>
+              </check>
+            </Rule>
+            <Rule id="xccdf_org.ssgproject.content_rule_enable_screensaver_after_idle" selected="false" severity="medium">
+              <title xml:lang="en-US">GNOME Desktop Screensaver Mandatory Use</title>
+              <description xml:lang="en-US">
+Run the following command to activate the screensaver
+in the GNOME desktop after a period of inactivity:
+<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \
+  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+  --type bool \
+  --set /apps/gnome-screensaver/idle_activation_enabled true</pre>
+</description>
+              <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">57</reference>
+              <rationale xml:lang="en-US">
+Enabling idle activation of the screen saver ensures the screensaver will
+be activated after the idle delay.  Applications requiring continuous,
+real-time screen display (such as network management products) require the
+login session does not have administrator rights and the display station is located in a
+controlled-access area.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>To check the screensaver mandatory use status, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled</pre>
+If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
+</check-content>
+              </check>
+            </Rule>
+            <Rule id="xccdf_org.ssgproject.content_rule_enable_screensaver_password_lock" selected="false" severity="medium">
+              <title xml:lang="en-US">Enable Screen Lock Activation After Idle Period</title>
+              <description xml:lang="en-US">
+Run the following command to activate locking of the screensaver
+in the GNOME desktop when it is activated:
+<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \
+  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+  --type bool \
+  --set /apps/gnome-screensaver/lock_enabled true</pre>
+</description>
+              <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(a)</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">57</reference>
+              <rationale xml:lang="en-US">
+Enabling the activation of the screen lock after an idle period
+ensures password entry will be required in order to
+access the system, preventing access by passersby.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>
+To check the status of the idle screen lock activation, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/lock_enabled</pre>
+If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">true</xhtml:code>.
+</check-content>
+              </check>
+            </Rule>
+            <Rule id="xccdf_org.ssgproject.content_rule_set_blank_screensaver" selected="false" severity="low">
+              <title xml:lang="en-US">Implement Blank Screen Saver</title>
+              <description xml:lang="en-US">
+Run the following command to set the screensaver mode
+in the GNOME desktop to a blank screen:
+<pre xmlns="http://www.w3.org/1999/xhtml"># gconftool-2 --direct \
+  --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
+  --type string \
+  --set /apps/gnome-screensaver/mode blank-only</pre>
+</description>
+              <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-11(b)</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">60</reference>
+              <rationale xml:lang="en-US">
+Setting the screensaver mode to blank-only conceals the
+contents of the display from passersby.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="it is not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>
+To ensure the screensaver is configured to be blank, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ gconftool-2 -g /apps/gnome-screensaver/mode</pre>
+If properly configured, the output should be <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">blank-only</xhtml:code>
+</check-content>
+              </check>
+            </Rule>
+          </Group>
+          <Group id="xccdf_org.ssgproject.content_group_console_screen_locking">
+            <title xml:lang="en-US">Configure Console Screen Locking</title>
+            <description xml:lang="en-US">
+A console screen locking mechanism is provided in the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package, which is not installed by default.
+</description>
+            <Rule id="xccdf_org.ssgproject.content_rule_package_screen_installed" selected="false" severity="low">
+              <title xml:lang="en-US">Install the screen Package</title>
+              <description xml:lang="en-US">
+To enable console screen locking, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package:
+<pre xmlns="http://www.w3.org/1999/xhtml"># yum install screen</pre>
+Instruct users to begin new terminal sessions with the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ screen</pre>
+The console can now be locked with the following key combination:
+<pre xmlns="http://www.w3.org/1999/xhtml">ctrl+a x</pre>
+</description>
+              <reference href="http://iase.disa.mil/cci/index.html">58</reference>
+              <rationale xml:lang="en-US">
+Installing <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> ensures a console locking capability is available
+for users who may need to suspend console logins.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="the package is not installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>
+
+    Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">screen</xhtml:code> package is installed:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q screen</xhtml:pre>
+              </check-content>
+              </check>
+            </Rule>
+          </Group>
+          <Group id="xccdf_org.ssgproject.content_group_smart_card_login">
+            <title xml:lang="en-US">Hardware Tokens for Authentication</title>
+            <description xml:lang="en-US">
+The use of hardware tokens such as smart cards for system login
+provides stronger, two-factor authentication than using a username/password.
+In Fedora servers and workstations, hardware token login
+is not enabled by default and must be enabled in the system settings.
+</description>
+            <Rule id="xccdf_org.ssgproject.content_rule_smartcard_auth" selected="false" severity="medium">
+              <title xml:lang="en-US">Enable Smart Card Login</title>
+              <description xml:lang="en-US">
+To enable smart card authentication, consult the documentation at:
+<ul xmlns="http://www.w3.org/1999/xhtml"><li>https://docs.fedoraproject.org/docs/en-US/Fedora/18/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html</li></ul>
+</description>
+              <reference href="http://iase.disa.mil/cci/index.html">765</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">766</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">767</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">768</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">771</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">772</reference>
+              <reference href="http://iase.disa.mil/cci/index.html">884</reference>
+              <rationale xml:lang="en-US">Smart card login provides two-factor authentication stronger than
+that provided by a username/password combination. Smart cards leverage a PKI
+(public key infrastructure) in order to provide and verify credentials.
+</rationale>
+              <check system="ocil-transitional">
+                <check-export export-name="non-exempt accounts are not using CAC authentication" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+                <check-content>
+Interview the SA to determine if all accounts not exempted by policy are
+using CAC authentication.
+</check-content>
+              </check>
+            </Rule>
+          </Group>
+        </Group>
+      </Group>
+    </Group>
+  </Group>
+  <Group id="xccdf_org.ssgproject.content_group_services">
+    <title xml:lang="en-US">Services</title>
+    <description xml:lang="en-US">
+The best protection against vulnerable software is running less software. This
+section describes how to review the software which Fedora installs on a system
+and disable software which is not needed. It then enumerates the software
+packages installed on a default Fedora system and provides guidance about which
+ones can be safely disabled.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Fedora provides a convenient minimal install option that essentially installs
+the bare necessities for a functional system. When building Fedora servers, it
+is highly recommended to select the minimal packages and then build up the
+system from there.
+</description>
+    <Group id="xccdf_org.ssgproject.content_group_ntp">
+      <title xml:lang="en-US">Network Time Protocol</title>
+      <description xml:lang="en-US">The Network Time Protocol is used to manage the system clock over
+a network. Computer clocks are not very accurate, so time will drift
+unpredictably on unmanaged systems. Central time protocols can be used both to
+ensure that time is consistent among a network of machines, and that their time
+is consistent with the outside world.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+If every system on a network reliably reports the same time, then it is much
+easier to correlate log messages in case of an attack. In addition, a number of
+cryptographic protocols (such as Kerberos) use timestamps to prevent certain
+types of attacks. If your network does not have synchronized time, these
+protocols may be unreliable or even unusable.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Depending on the specifics of the network, global time accuracy may be just as
+important as local synchronization, or not very important at all. If your
+network is connected to the Internet, using a public timeserver (or one
+provided by your enterprise) provides globally accurate timestamps which may be
+essential in investigating or responding to an attack which originated outside
+of your network.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+A typical network setup involves a small number of internal systems operating
+as NTP servers, and the remainder obtaining time information from those
+internal servers.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+More information on how to configure the NTP server software, including
+configuration of cryptographic authentication for time data, is available at
+http://www.ntp.org.
+</description>
+      <Rule id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" selected="false" severity="medium">
+        <title xml:lang="en-US">NTP Daemon Enabled</title>
+        <description xml:lang="en-US">
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service can be enabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl enable ntpd.service</xhtml:pre>
+        </description>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
+        <reference href="http://iase.disa.mil/cci/index.html">160</reference>
+        <rationale xml:lang="en-US">Enabling the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code> service ensures that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpd</xhtml:code>
+service will be running and that the system will synchronize its time to any
+servers specified. This is important whether the system is configured to be a
+client (and synchronize only its own clock) or it is also acting as an NTP
+server to other systems.  Synchronizing time is essential for authentication
+services such as Kerberos, but it is also important for maintaining accurate
+logs and auditing possible security breaches.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The NTP daemon offers all of the functionality of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ntpdate</xhtml:code>, which is
+now deprecated.  Additional information on this is available at
+http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</rationale>
+        <fix system="urn:xccdf:fix:script:sh">#
+# Install ntp package if necessary
+#
+
+yum -y install ntp
+
+#
+# Enable ntpd service (for current systemd target)
+#
+
+systemctl enable ntpd.service
+
+#
+# Start ntpd if not currently running
+#
+
+systemctl start ntpd.service
+</fix>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref name="oval:ssg:def:169" href="ssg-fedora-oval.xml"/>
+        </check>
+      </Rule>
+      <Rule id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" selected="false" severity="medium">
+        <title xml:lang="en-US">Remote NTP Server Specified</title>
+        <description xml:lang="en-US">To specify a remote NTP server for time synchronization, edit
+the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ntp.conf</xhtml:code>. Add or correct the following lines,
+substituting the IP or hostname of a remote NTP server for <em xmlns="http://www.w3.org/1999/xhtml">ntpserver</em>:
+<pre xmlns="http://www.w3.org/1999/xhtml">server <i>ntpserver</i></pre>
+This instructs the NTP software to contact that remote server to obtain time
+data.
+</description>
+        <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AU-8(1)</reference>
+        <reference href="http://iase.disa.mil/cci/index.html">160</reference>
+        <rationale xml:lang="en-US">Synchronizing with an NTP server makes it possible to collate system
+logs from multiple sources or correlate computer events with real time events.
+</rationale>
+        <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+          <check-content-ref name="oval:ssg:def:146" href="ssg-fedora-oval.xml"/>
+        </check>
+      </Rule>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_ssh">
+      <title xml:lang="en-US">SSH Server</title>
+      <description xml:lang="en-US">The SSH protocol is recommended for remote login and remote file
+transfer. SSH provides confidentiality and integrity for data exchanged between
+two systems, as well as server authentication, through the use of public key
+cryptography. The implementation included with the system is called OpenSSH,
+and more detailed documentation is available from its website,
+http://www.openssh.org. Its server program is called <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd</xhtml:code> and
+provided by the RPM package <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">openssh-server</xhtml:code>.</description>
+      <Value id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" operator="equals" type="number">
+        <title xml:lang="en-US">SSH session Idle time</title>
+        <description xml:lang="en-US">Specify duration of allowed idle time.</description>
+        <value>300</value>
+        <value selector="5_minutes">300</value>
+        <value selector="10_minutes">600</value>
+        <value selector="15_minutes">900</value>
+      </Value>
+      <Group id="xccdf_org.ssgproject.content_group_ssh_server">
+        <title xml:lang="en-US">Configure OpenSSH Server if Necessary</title>
+        <description xml:lang="en-US">If the system needs to act as an SSH server, then certain changes
+should be made to the OpenSSH daemon configuration file
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>. The following recommendations can be applied
+to this file. See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">sshd_config(5)</xhtml:code> man page for more detailed
+information.</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="false" severity="medium">
+          <title xml:lang="en-US">SSH Root Login Disabled</title>
+          <description xml:lang="en-US">The root user should never be allowed to login to a system
+directly over a network. To disable root login via SSH, add or correct the
+following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">PermitRootLogin no</pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">AC-6(2)</reference>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">IA-2(1)</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">770</reference>
+          <rationale xml:lang="en-US">
+Permitting direct root login reduces auditable information about who ran
+privileged commands on the system and also allows direct attack attempts on
+root's password.
+</rationale>
+          <fix system="urn:xccdf:fix:script:sh">
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# PermitRootLogin directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_PERMIT_ROOT_LOGIN=$(sed -n '/^[[:space:]]*PermitRootLogin[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
+    then
+        # Append 'PermitRootLogin no' at the end of $SSHD_CONFIG
+        echo -e "\nPermitRootLogin no" &gt;&gt; $SSHD_CONFIG
+
+    # Case: PermitRootLogin directive present in $SSHD_CONFIG already
+    else
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitRootLogin directive
+        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
+    fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+    # Case: PermitRootLogin directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_ROOT_LOGIN" ]
+    then
+        # Prepend 'PermitRootLogin no' before first uncommented
+        # case-insensitive occurrence of Match block directive
+        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
+
+    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
+    #       before first Match block directive
+    elif [ "$FIRST_PERMIT_ROOT_LOGIN" -lt "$FIRST_MATCH_BLOCK" ]
+    then
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitRootLogin directive
+        sed -i "$FIRST_PERMIT_ROOT_LOGIN s/^[[:space:]]*PermitRootLogin.*$/PermitRootLogin no/I" $SSHD_CONFIG
+
+    # Case: PermitRootLogin directive present in $SSHD_CONFIG and placed
+    # after first Match block directive
+    else
+         # Prepend 'PermitRootLogin no' before first uncommented
+         # case-insensitive occurrence of Match block directive
+         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitRootLogin no\n\1/I" $SSHD_CONFIG
+    fi
+fi
+</fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:188" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="false" severity="high">
+          <title xml:lang="en-US">SSH Access via Empty Passwords Disabled</title>
+          <description xml:lang="en-US">To explicitly disallow remote login from accounts with empty
+passwords, add or correct the following line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">PermitEmptyPasswords no</pre>
+Any accounts with empty passwords should be disabled immediately, and PAM
+configuration should prevent users from being able to assign themselves empty
+passwords.
+</description>
+          <reference href="http://iase.disa.mil/cci/index.html">765</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">766</reference>
+          <rationale xml:lang="en-US">
+Configuring this setting for the SSH daemon provides additional assurance that
+remote login via SSH will require a password, even in the event of
+misconfiguration elsewhere.
+</rationale>
+          <fix system="urn:xccdf:fix:script:sh">
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# PermitEmptyPasswords directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_PERMIT_EMPTY_PASSWORDS=$(sed -n '/^[[:space:]]*PermitEmptyPasswords[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+    # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
+    then
+        # Append 'PermitEmptyPasswords no' at the end of $SSHD_CONFIG
+        echo -e "\nPermitEmptyPasswords no" &gt;&gt; $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG already
+    else
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitEmptyPasswords directive
+        sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
+    fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+    # Case: PermitEmptyPasswords directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_PERMIT_EMPTY_PASSWORDS" ]
+    then
+        # Prepend 'PermitEmptyPasswords no' before first uncommented
+        # case-insensitive occurrence of Match block directive
+        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
+    #       before first Match block directive
+    elif [ "$FIRST_PERMIT_EMPTY_PASSWORDS" -lt "$FIRST_MATCH_BLOCK" ]
+    then
+        # Replace first uncommented case-insensitive occurrence
+        # of PermitEmptyPasswords directive
+        sed -i "$FIRST_PERMIT_EMPTY_PASSWORDS s/^[[:space:]]*PermitEmptyPasswords.*$/PermitEmptyPasswords no/I" $SSHD_CONFIG
+
+    # Case: PermitEmptyPasswords directive present in $SSHD_CONFIG and placed
+    # after first Match block directive
+    else
+         # Prepend 'PermitEmptyPasswords no' before first uncommented
+         # case-insensitive occurrence of Match block directive
+         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/PermitEmptyPasswords no\n\1/I" $SSHD_CONFIG
+    fi
+fi
+</fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:204" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="false" severity="low">
+          <title xml:lang="en-US">SSH Idle Timeout Interval Used</title>
+          <description xml:lang="en-US">SSH allows administrators to set an idle timeout interval.
+After this interval has passed, the idle user will be automatically logged out.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+To set an idle timeout interval, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> file,
+locate the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b>INTERVAL</b></pre>
+and correct it to have the form of:
+<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveInterval <b><sub xmlns="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/></b></pre>
+The timeout <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> is given in seconds. To have a timeout of 15
+minutes, set <b xmlns="http://www.w3.org/1999/xhtml">INTERVAL</b> to 900.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+If a shorter timeout has already been set for the login shell, that value will
+preempt any SSH setting made here. Keep in mind that some processes may stop
+SSH from correctly detecting that the user is idle.
+</description>
+          <reference href="http://iase.disa.mil/cci/index.html">879</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1133</reference>
+          <rationale xml:lang="en-US">
+Causing idle users to be automatically logged out guards against compromises
+one system leading trivially to compromises on another.
+</rationale>
+          <fix system="urn:xccdf:fix:script:sh">sshd_idle_timeout_value="<sub idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/>"
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# ClientAliveInterval directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_CLIENT_ALIVE_INTERVAL=$(sed -n '/^[[:space:]]*ClientAliveInterval[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+    # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
+    then
+        # Append 'ClientAliveInterval $sshd_idle_timeout_value' at the end of $SSHD_CONFIG
+        echo -e "\nClientAliveInterval $sshd_idle_timeout_value" &gt;&gt; $SSHD_CONFIG
+
+    # Case: ClientAliveInterval directive present in $SSHD_CONFIG already
+    else
+        # Replace first uncommented case-insensitive occurrence
+        # of ClientAliveInterval directive
+        sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
+    fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+    # Case: ClientAliveInterval directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_CLIENT_ALIVE_INTERVAL" ]
+    then
+        # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
+        # case-insensitive occurrence of Match block directive
+        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
+
+    # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
+    #       before first Match block directive
+    elif [ "$FIRST_CLIENT_ALIVE_INTERVAL" -lt "$FIRST_MATCH_BLOCK" ]
+    then
+        # Replace first uncommented case-insensitive occurrence
+        # of ClientAliveInterval directive
+        sed -i "$FIRST_CLIENT_ALIVE_INTERVAL s/^[[:space:]]*ClientAliveInterval.*$/ClientAliveInterval $sshd_idle_timeout_value/I" $SSHD_CONFIG
+
+    # Case: ClientAliveInterval directive present in $SSHD_CONFIG and placed
+    # after first Match block directive
+    else
+         # Prepend 'ClientAliveInterval $sshd_idle_timeout_value' before first uncommented
+         # case-insensitive occurrence of Match block directive
+         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveInterval $sshd_idle_timeout_value\n\1/I" $SSHD_CONFIG
+    fi
+fi
+</fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-export export-name="oval:ssg:var:283" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/>
+            <check-content-ref name="oval:ssg:def:179" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="false" severity="low">
+          <title xml:lang="en-US">SSH Client Alive Count Used</title>
+          <description xml:lang="en-US">To ensure the SSH idle timeout occurs precisely when the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is set, edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ssh/sshd_config</xhtml:code> as
+follows:
+<pre xmlns="http://www.w3.org/1999/xhtml">ClientAliveCountMax 0</pre>
+</description>
+          <reference href="http://iase.disa.mil/cci/index.html">879</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1133</reference>
+          <rationale xml:lang="en-US">
+This ensures a user login will be terminated as soon as the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ClientAliveCountMax</xhtml:code> is reached.
+</rationale>
+          <fix system="urn:xccdf:fix:script:sh">
+SSHD_CONFIG='/etc/ssh/sshd_config'
+
+# Obtain line number of first uncommented case-insensitive occurrence of Match
+# block directive (possibly prefixed with whitespace) present in $SSHD_CONFIG
+FIRST_MATCH_BLOCK=$(sed -n '/^[[:space:]]*Match[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Obtain line number of first uncommented case-insensitive occurence of
+# ClientAliveCountMax directive (possibly prefixed with whitespace) present in
+# $SSHD_CONFIG
+FIRST_CLIENT_ALIVE_COUNT_MAX=$(sed -n '/^[[:space:]]*ClientAliveCountMax[^\n]*/I{=;q}' $SSHD_CONFIG)
+
+# Case: Match block directive not present in $SSHD_CONFIG
+if [ -z "$FIRST_MATCH_BLOCK" ]
+then
+
+    # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
+    then
+        # Append 'ClientAliveCountMax 0' at the end of $SSHD_CONFIG
+        echo -e "\nClientAliveCountMax 0" &gt;&gt; $SSHD_CONFIG
+
+    # Case: ClientAliveCountMax directive present in $SSHD_CONFIG already
+    else
+        # Replace first uncommented case-insensitive occurrence
+        # of ClientAliveCountMax directive
+        sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
+    fi
+
+# Case: Match block directive present in $SSHD_CONFIG
+else
+
+    # Case: ClientAliveCountMax directive not present in $SSHD_CONFIG yet
+    if [ -z "$FIRST_CLIENT_ALIVE_COUNT_MAX" ]
+    then
+        # Prepend 'ClientAliveCountMax 0' before first uncommented
+        # case-insensitive occurrence of Match block directive
+        sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
+
+    # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
+    #       before first Match block directive
+    elif [ "$FIRST_CLIENT_ALIVE_COUNT_MAX" -lt "$FIRST_MATCH_BLOCK" ]
+    then
+        # Replace first uncommented case-insensitive occurrence
+        # of ClientAliveCountMax directive
+        sed -i "$FIRST_CLIENT_ALIVE_COUNT_MAX s/^[[:space:]]*ClientAliveCountMax.*$/ClientAliveCountMax 0/I" $SSHD_CONFIG
+
+    # Case: ClientAliveCountMax directive present in $SSHD_CONFIG and placed
+    # after first Match block directive
+    else
+         # Prepend 'ClientAliveCountMax 0' before first uncommented
+         # case-insensitive occurrence of Match block directive
+         sed -i "$FIRST_MATCH_BLOCK s/^\([[:space:]]*Match[^\n]*\)/ClientAliveCountMax 0\n\1/I" $SSHD_CONFIG
+    fi
+fi
+</fix>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:166" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_ftp">
+      <title xml:lang="en-US">FTP Server</title>
+      <description xml:lang="en-US">FTP is a common method for allowing remote access to
+files. Like telnet, the FTP protocol is unencrypted, which means
+that passwords and other data transmitted during the session can be
+captured and that the session is vulnerable to hijacking.
+Therefore, running the FTP server software is not recommended.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+However, there are some FTP server configurations which may
+be appropriate for some environments, particularly those which
+allow only read-only anonymous access as a means of downloading
+data available to the public.</description>
+      <Group id="xccdf_org.ssgproject.content_group_disabling_vsftpd">
+        <title xml:lang="en-US">Disable vsftpd if Possible</title>
+        <Rule id="xccdf_org.ssgproject.content_rule_disable_vsftpd" selected="false" severity="low">
+          <title xml:lang="en-US">Disable vsftpd Service</title>
+          <description xml:lang="en-US">
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable vsftpd.service</xhtml:pre>
+          </description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1436</reference>
+          <rationale xml:lang="en-US">
+Running FTP server software provides a network-based avenue
+of attack, and should be disabled if not needed.
+Furthermore, the FTP protocol is unencrypted and creates
+a risk of compromising sensitive information.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+
+    To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service is disabled in system boot configuration, run the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list</xhtml:pre>
+    Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> service has either not been installed,
+    or has been disabled at all runlevels, as shown in the example below:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>vsftpd</xhtml:code> --list
+<xhtml:code>vsftpd</xhtml:code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off</xhtml:pre>
+
+    Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> is disabled through current runtime configuration:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service vsftpd status</xhtml:pre>
+
+    If the service is disabled the command will return the following output:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd is stopped</xhtml:pre>
+          </check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_uninstall_vsftpd" selected="false" severity="low">
+          <title xml:lang="en-US">Uninstall vsftpd Package</title>
+          <description xml:lang="en-US">
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package can be removed with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase vsftpd</xhtml:pre>
+          </description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
+          <reference href="http://iase.disa.mil/cci/index.html">1436</reference>
+          <rationale xml:lang="en-US">
+Removing the vsftpd package decreases the risk of its
+accidental activation.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+
+    Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package is installed:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q vsftpd</xhtml:pre>
+          </check-content>
+          </check>
+        </Rule>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">
+        <title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
+        <Rule id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed" selected="false" severity="low">
+          <title xml:lang="en-US">Install vsftpd Package</title>
+          <description xml:lang="en-US">If this machine must operate as an FTP server, install the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code> package via the standard channels.
+<pre xmlns="http://www.w3.org/1999/xhtml"># yum install vsftpd</pre>
+</description>
+          <reference href="http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf">CM-7</reference>
+          <rationale xml:lang="en-US">After RHEL 2.1, Red Hat switched from distributing wu-ftpd with RHEL to distributing vsftpd. For security
+and for consistency with future Red Hat releases, the use of vsftpd is recommended.</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:150" href="ssg-fedora-oval.xml"/>
+          </check>
+        </Rule>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">
+        <title xml:lang="en-US">Use vsftpd to Provide FTP Service if Necessary</title>
+        <description xml:lang="en-US">The primary vsftpd configuration file is
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd.conf</xhtml:code>, if that file exists, or
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code> if it does not.
+</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_ftp_log_transactions" selected="false" severity="low">
+          <title xml:lang="en-US">Enable Logging of All FTP Transactions</title>
+          <description xml:lang="en-US">Add or correct the following configuration options within the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd</xhtml:code>
+configuration file, located at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>:
+<pre xmlns="http://www.w3.org/1999/xhtml">xferlog_enable=YES
+xferlog_std_format=NO
+log_ftp_protocol=YES</pre>
+</description>
+          <warning xml:lang="en-US" override="false" category="general">If verbose logging to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code> is done, sparse logging of downloads to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/xferlog</xhtml:code> will not also occur. However, the information about what files were downloaded is included in the information logged to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">vsftpd.log</xhtml:code></warning>
+          <rationale xml:lang="en-US">To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to
+the FTP server are logged using the verbose vsftpd log
+format. The default vsftpd log file is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/var/log/vsftpd.log</xhtml:code>.</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:183" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="xferlog_enable is missing, or is not set to yes" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+Find if logging is applied to the FTP daemon.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Procedures:
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+If vsftpd is started by xinetd the following command will indicate the xinetd.d startup file:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep vsftpd /etc/xinetd.d/*</pre>
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep server_args <i>vsftpd xinetd.d startup file</i></pre>
+This will indicate the vsftpd config file used when starting through xinetd.
+If the <i xmlns="http://www.w3.org/1999/xhtml">server_args</i> line is missing or does not include the vsftpd configuration file, then the default config file (/etc/vsftpd/vsftpd.conf) is used.
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep xferlog_enable <i>vsftpd config file</i></pre>
+</check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_ftp_present_banner" selected="false" severity="medium">
+          <title xml:lang="en-US">Create Warning Banners for All FTP Users</title>
+          <description xml:lang="en-US">Edit the vsftpd configuration file, which resides at <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftpd/vsftpd.conf</xhtml:code>
+by default. Add or correct the following configuration options:
+<pre xmlns="http://www.w3.org/1999/xhtml">banner_file=/etc/issue</pre>
+</description>
+          <reference href="http://iase.disa.mil/cci/index.html">48</reference>
+          <rationale xml:lang="en-US">This setting will cause the system greeting banner to be used for FTP connections as well.</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:202" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+If FTP services are not installed, this is not applicable.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+To verify this configuration, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">grep "banner_file" /etc/vsftpd/vsftpd.conf</pre>
+
+The output should show the value of <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">banner_file</xhtml:code> is set to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/issue</xhtml:code>, an example of which is shown below:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep "banner_file" /etc/vsftpd/vsftpd.conf
+banner_file=/etc/issue</pre>
+</check-content>
+          </check>
+        </Rule>
+        <Group id="xccdf_org.ssgproject.content_group_ftp_restrict_users">
+          <title xml:lang="en-US">Restrict the Set of Users Allowed to Access FTP</title>
+          <description xml:lang="en-US">This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
+do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
+identified need for this access.</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon" selected="false" severity="low">
+            <title xml:lang="en-US">Restrict Access to Anonymous Users if Possible</title>
+            <description xml:lang="en-US">Is there a mission-critical reason for users to transfer files to/from their own accounts using FTP, rather than
+using a secure protocol like SCP/SFTP? If not, edit the vsftpd configuration file. Add or correct the following configuration option:
+<pre xmlns="http://www.w3.org/1999/xhtml">local_enable=NO</pre>
+If non-anonymous FTP logins are necessary, follow the guidance in the remainder of this section to secure
+these logins as much as possible.</description>
+            <rationale xml:lang="en-US">The use of non-anonymous FTP logins is strongly discouraged. Since SSH clients and servers are widely available, and since SSH provides support for a transfer mode which resembles FTP in user interface, there is no good reason to allow password-based FTP access. </rationale>
+          </Rule>
+          <Group id="xccdf_org.ssgproject.content_group_ftp_limit_users">
+            <title xml:lang="en-US">Limit Users Allowed FTP Access if Necessary</title>
+            <description xml:lang="en-US">If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
+<pre xmlns="http://www.w3.org/1999/xhtml">userlist_enable=YES
+userlist_file=/etc/vsftp.ftpusers
+userlist_deny=NO</pre>
+Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code>. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
+<pre xmlns="http://www.w3.org/1999/xhtml">USERNAME</pre>
+If anonymous access is also required, add the anonymous usernames to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/vsftp.ftpusers</xhtml:code> as well.
+<pre xmlns="http://www.w3.org/1999/xhtml">anonymous
+ftp</pre>
+</description>
+            <rationale xml:lang="en-US">Historically, the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/ftpusers</xhtml:code> contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">userlist deny=NO</xhtml:code> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.</rationale>
+          </Group>
+        </Group>
+        <Rule id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads" selected="false" severity="low">
+          <title xml:lang="en-US">Disable FTP Uploads if Possible</title>
+          <description xml:lang="en-US">Is there a mission-critical reason for users to upload files via FTP? If not,
+edit the vsftpd configuration file to add or correct the following configuration options:
+<pre xmlns="http://www.w3.org/1999/xhtml">write_enable=NO</pre>
+If FTP uploads are necessary, follow the guidance in the remainder of this section to secure these transactions
+as much as possible.</description>
+          <rationale xml:lang="en-US">Anonymous FTP can be a convenient way to make files available for universal download. However, it is less
+common to have a need to allow unauthenticated users to place files on the FTP server. If this must be done, it
+is necessary to ensure that files cannot be uploaded and downloaded from the same directory.
+</rationale>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_ftp_home_partition" selected="false" severity="low">
+          <title xml:lang="en-US">Place the FTP Home Directory on its Own Partition</title>
+          <description xml:lang="en-US">By default, the anonymous FTP root is the home directory of the FTP user account. The df command can
+be used to verify that this directory is on its own partition.</description>
+          <rationale xml:lang="en-US">If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent
+these users from filling a disk used by other services.</rationale>
+        </Rule>
+        <Group id="xccdf_org.ssgproject.content_group_ftp_configure_firewall">
+          <title xml:lang="en-US">Configure Firewalls to Protect the FTP Server</title>
+          <description xml:lang="en-US">By default, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code>
+blocks access to the ports used by the web server.
+
+        To configure <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">iptables</xhtml:code> to allow port
+        21 traffic one must edit
+        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables</xhtml:code>  and
+        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/ip6tables</xhtml:code> (if IPv6 is in use).
+        Add the following line, ensuring that it appears before the final LOG
+        and DROP lines for the INPUT chain:
+        <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:space="preserve">-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT</xhtml:pre>
+Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/iptables-config</xhtml:code>. Ensure that the space-separated list of modules contains
+the FTP connection tracking module:
+<pre xmlns="http://www.w3.org/1999/xhtml">IPTABLES_MODULES="ip_conntrack_ftp"</pre></description>
+          <rationale xml:lang="en-US">These settings configure iptables to allow connections to an FTP server. The first line allows initial connections
+to the FTP server port.
+FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
+and server negotiate an arbitrary port to be used for data transfer. The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ip_conntrack_ftp</xhtml:code>  module is used by
+iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
+FTP server to operate on a machine which is running a firewall.</rationale>
+        </Group>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_snmp">
+      <title xml:lang="en-US">SNMP Server</title>
+      <description xml:lang="en-US">The Simple Network Management Protocol allows
+administrators to monitor the state of network devices, including
+computers. Older versions of SNMP were well-known for weak
+security, such as plaintext transmission of the community string
+(used for authentication) and usage of easily-guessable
+choices for the community string.</description>
+      <Group id="xccdf_org.ssgproject.content_group_disabling_snmp_service">
+        <title xml:lang="en-US">Disable SNMP Server if Possible</title>
+        <description xml:lang="en-US">The system includes an SNMP daemon that allows for its remote
+monitoring, though it not installed by default. If it was installed and
+activated but is not needed, the software should be disabled and removed.
+</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_disable_snmpd" selected="false" severity="low">
+          <title xml:lang="en-US">Disable snmpd Service</title>
+          <description xml:lang="en-US">
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable snmpd.service</xhtml:pre>
+          </description>
+          <rationale xml:lang="en-US">
+Running SNMP software provides a network-based avenue of attack, and
+should be disabled if not needed.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+
+    To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service is disabled in system boot configuration, run the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list</xhtml:pre>
+    Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> service has either not been installed,
+    or has been disabled at all runlevels, as shown in the example below:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>snmpd</xhtml:code> --list
+<xhtml:code>snmpd</xhtml:code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off</xhtml:pre>
+
+    Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd</xhtml:code> is disabled through current runtime configuration:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service snmpd status</xhtml:pre>
+
+    If the service is disabled the command will return the following output:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd is stopped</xhtml:pre>
+          </check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_uninstall_net-snmp" selected="false" severity="low">
+          <title xml:lang="en-US">Uninstall net-snmp Package</title>
+          <description xml:lang="en-US">The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmp</xhtml:code> package provides the snmpd service.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmpd</xhtml:code> package can be removed with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase net-snmpd</xhtml:pre>
+</description>
+          <rationale xml:lang="en-US">
+If there is no need to run SNMP server software,
+removing the package provides a safeguard against its
+activation.
+</rationale>
+          <check system="ocil-transitional">
+            <check-export export-name="the package is installed" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+
+    Run the following command to determine if the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net-snmpd</xhtml:code> package is installed:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -q net-snmpd</xhtml:pre>
+          </check-content>
+          </check>
+        </Rule>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_snmp_configure_server">
+        <title xml:lang="en-US">Configure SNMP Server if Necessary</title>
+        <description xml:lang="en-US">If it is necessary to run the snmpd agent on the system, some best
+practices should be followed to minimize the security risk from the
+installation. The multiple security models implemented by SNMP cannot be fully
+covered here so only the following general configuration advice can be offered:
+<ul xmlns="http://www.w3.org/1999/xhtml"><li>use only SNMP version 3 security models and enable the use of authentication and encryption</li><li>write access to the MIB (Management Information Base) should be allowed only if necessary</li><li>all access to the MIB should be restricted following a principle of least privilege</li><li>network access should be limited to the maximum extent possible including restricting to expected network
+addresses both in the configuration files and in the system firewall rules</li><li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
+stations</li><li>ensure that permissions on the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">snmpd.conf</xhtml:code> configuration file (by default, in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp</xhtml:code>) are 640 or more restrictive</li><li>ensure that any MIB files' permissions are also 640 or more restrictive</li></ul>
+</description>
+        <Rule id="xccdf_org.ssgproject.content_rule_snmpd_use_newer_protocol" selected="false" severity="medium">
+          <title xml:lang="en-US">Configure SNMP Service to Use Only SNMPv3 or Newer </title>
+          <description xml:lang="en-US">
+Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, removing any references to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rocommunity</xhtml:code>, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rwcommunity</xhtml:code>, or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">com2sec</xhtml:code>.
+Upon doing that, restart the SNMP service:
+<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
+</description>
+          <rationale xml:lang="en-US">
+Earlier versions of SNMP are considered insecure, as they potentially allow
+unauthorized access to detailed system management information.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:177" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To ensure only SNMPv3 or newer is used, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep 'rocommunity\|rwcommunity\|com2sec' /etc/snmp/snmpd.conf | grep -v "^#"</pre>
+There should be no output.
+</check-content>
+          </check>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_snmpd_not_default_password" selected="false" severity="medium">
+          <title xml:lang="en-US">Ensure Default Password Is Not Used</title>
+          <description xml:lang="en-US">
+Edit <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/snmp/snmpd.conf</xhtml:code>, remove default community string <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">public</xhtml:code>.
+Upon doing that, restart the SNMP service:
+<pre xmlns="http://www.w3.org/1999/xhtml"># service snmpd restart</pre>
+</description>
+          <rationale xml:lang="en-US">
+Presence of the default SNMP password enables querying of different system
+aspects and could result in unauthorized knowledge of the system.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:171" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To ensure the default password is not set, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep -v "^#" /etc/snmp/snmpd.conf| grep public</pre>
+There should be no output.
+</check-content>
+          </check>
+        </Rule>
+      </Group>
+    </Group>
+    <Group id="xccdf_org.ssgproject.content_group_nfs_and_rpc">
+      <title xml:lang="en-US">NFS and RPC</title>
+      <description xml:lang="en-US">The Network File System is a popular distributed filesystem for
+the Unix environment, and is very widely deployed.  This section discusses the
+circumstances under which it is possible to disable NFS and its dependencies,
+and then details steps which should be taken to secure
+NFS's configuration. This section is relevant to machines operating as NFS
+clients, as well as to those operating as NFS servers.
+</description>
+      <Group id="xccdf_org.ssgproject.content_group_disabling_nfs">
+        <title xml:lang="en-US">Disable All NFS Services if Possible</title>
+        <description xml:lang="en-US">If there is not a reason for the system to operate as either an
+NFS client or an NFS server, follow all instructions in this section to disable
+subsystems required by NFS.
+</description>
+        <warning xml:lang="en-US" override="false" category="general">The steps in this section will prevent a machine
+from operating as either an NFS client or an NFS server. Only perform these
+steps on machines which do not need NFS at all.</warning>
+        <Group id="xccdf_org.ssgproject.content_group_disabling_nfs_services">
+          <title xml:lang="en-US">Disable Services Used Only by NFS</title>
+          <description xml:lang="en-US">If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+All of these daemons run with elevated privileges, and many listen for network
+connections. If they are not needed, they should be disabled to improve system
+security posture.</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_nfslock_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable Network File System Lock Service (nfslock)</title>
+            <description xml:lang="en-US">The Network File System Lock (nfslock) service starts the required
+remote procedure call (RPC) processes which allow clients to lock files on the
+server. If the local machine is not configured to mount NFS filesystems then
+this service should be disabled.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfslock</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfslock.service</xhtml:pre>
+</description>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_rpcgssd_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable Secure RPC Client Service (rpcgssd)</title>
+            <description xml:lang="en-US">
+The rpcgssd service manages RPCSEC GSS contexts required to secure protocols
+that use RPC (most often Kerberos and NFS). The rpcgssd service is the
+client-side of RPCSEC GSS. If the system does not require secure RPC then this
+service should be disabled.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcgssd</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcgssd.service</xhtml:pre>
+</description>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_rpcidmapd_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable RPC ID Mapping Service (rpcidmapd)</title>
+            <description xml:lang="en-US">The rpcidmapd service is used to map user names and groups to UID
+and GID numbers on NFSv4 mounts. If NFS is not in use on the local system then
+this service should be disabled.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcidmapd</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcidmapd.service</xhtml:pre>
+</description>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_disabling_netfs">
+          <title xml:lang="en-US">Disable netfs if Possible</title>
+          <description xml:lang="en-US">To determine if any network filesystems handled by netfs are
+currently mounted on the system execute the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs</pre>
+If the command did not return any output then disable netfs.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_netfs_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable Network File Systems (netfs)</title>
+            <description xml:lang="en-US">The netfs script manages the boot-time mounting of several types
+of networked filesystems, of which NFS and Samba are the most common. If these
+filesystem types are not in use, the script can be disabled, protecting the
+system somewhat against accidental or malicious changes to <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>
+and against flaws in the netfs script itself.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">netfs</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable netfs.service</xhtml:pre>
+</description>
+          </Rule>
+        </Group>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">
+        <title xml:lang="en-US">Configure All Machines which Use NFS</title>
+        <description xml:lang="en-US">The steps in this section are appropriate for all machines which
+run NFS, whether they operate as clients or as servers.</description>
+        <Group id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">
+          <title xml:lang="en-US">Make Each Machine a Client or a Server, not Both</title>
+          <description xml:lang="en-US">If NFS must be used, it should be deployed in the simplest
+configuration possible to avoid maintainability problems which may lead to
+unnecessary security exposure. Due to the reliability and security problems
+caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for machines
+which act as NFS servers to also mount filesystems via NFS. At the least,
+crossed mounts (the situation in which each of two servers mounts a filesystem
+from the other) should never be used.
+</description>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">
+          <title xml:lang="en-US">Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)</title>
+          <description xml:lang="en-US">Firewalling should be done at each host and at the border
+firewalls to protect the NFS daemons from remote access, since NFS servers
+should never be accessible from outside the organization. However, by default
+for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
+dynamically at service startup time. Dynamic ports cannot be protected by port
+filtering firewalls such as iptables.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Therefore, restrict each service to always use a given port, so that
+firewalling can be done effectively. Note that, because of the way RPC is
+implemented, it is not possible to disable the RPC Bind service even if ports
+are assigned statically to all RPC services.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+In NFSv4, the mounting and locking protocols have been incorporated into the
+protocol, and the server listens on the the well-known TCP port 2049. As such,
+NFSv4 does not need to interact with the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcbind, lockd, and rpc.statd</xhtml:code>
+daemons, which can and should be disabled in a pure NFSv4 environment. The
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpc.mountd</xhtml:code> daemon is still required on the NFS server to setup
+exports, but is not involved in any over-the-wire operations.
+</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_tcp_port" selected="false" severity="low">
+            <title xml:lang="en-US">Configure lockd to use static TCP port</title>
+            <description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static TCP port as
+opposed to letting the RPC Bind service dynamically assign a port. Edit the
+file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_TCPPORT=lockd-port</pre>
+Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
+your network.
+</description>
+            <rationale xml:lang="en-US">
+Restrict service to always use a given port, so that firewalling can be done
+effectively.
+</rationale>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_lockd_udp_port" selected="false" severity="low">
+            <title xml:lang="en-US">Configure lockd to use static UDP port</title>
+            <description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd</xhtml:code> daemon to use a static UDP port as
+opposed to letting the RPC Bind service dynamically assign a port. Edit the
+file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">LOCKD_UDPPORT=lockd-port</pre>
+Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">lockd-port</xhtml:code> is a port which is not used by any other service on
+your network.
+</description>
+            <rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
+to be done more effectively.
+</rationale>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_statd_port" selected="false" severity="low">
+            <title xml:lang="en-US">Configure statd to use static port</title>
+            <description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd</xhtml:code> daemon to use a static port as
+opposed to letting the RPC Bind service dynamically assign a port. Edit the
+file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">STATD_PORT=statd-port</pre>
+Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">statd-port</xhtml:code> is a port which is not used by any other service on your network.
+</description>
+            <rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
+to be done more effectively.
+</rationale>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_nfs_fixed_mountd_port" selected="false" severity="low">
+            <title xml:lang="en-US">Configure mountd to use static port</title>
+            <description xml:lang="en-US">Configure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd</xhtml:code> daemon to use a static port as
+opposed to letting the RPC Bind service dynamically assign a port. Edit the
+file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/sysconfig/nfs</xhtml:code>. Add or correct the following line:
+<pre xmlns="http://www.w3.org/1999/xhtml">MOUNTD_PORT=statd-port</pre>
+Where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">mountd-port</xhtml:code> is a port which is not used by any other service on your network.
+</description>
+            <rationale xml:lang="en-US"> Restricting services to always use a given port enables firewalling
+to be done more effectively.
+</rationale>
+          </Rule>
+        </Group>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_clients">
+        <title xml:lang="en-US">Configure NFS Clients</title>
+        <description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS clients.</description>
+        <Group id="xccdf_org.ssgproject.content_group_disabling_nfsd">
+          <title xml:lang="en-US">Disable NFS Server Daemons</title>
+          <description xml:lang="en-US">
+There is no need to run the NFS server daemons <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> and
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> except on a small number of properly secured machines
+designated as NFS servers. Ensure that these daemons are turned off on
+clients.</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_nfs_no_anonymous" selected="false" severity="low">
+            <title xml:lang="en-US">Specify UID and GID for Anonymous NFS Connections</title>
+            <description xml:lang="en-US">To specify the UID and GID for remote root users, edit the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> file and add the following for each export:
+<pre xmlns="http://www.w3.org/1999/xhtml">
+anonuid=-1
+anongid=-1
+</pre>
+</description>
+            <rationale xml:lang="en-US">Specifying the anonymous UID and GID as -1 ensures that the remote root user is mapped to a local account which has no permissions on the system.</rationale>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_nfs_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable Network File System (nfs)</title>
+            <description xml:lang="en-US">The Network File System (NFS) service allows remote hosts to mount
+and interact with shared filesystems on the local machine. If the local machine
+is not designated as a NFS server then this service should be disabled.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable nfs.service</xhtml:pre>
+</description>
+            <rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="it does not" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+It is prudent to ensure the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled in system boot, as well as
+not currently running.  First, run the following to verify the service is stopped:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ service nfs status</pre>
+If the service is stopped or disabled, it will return the following:
+<pre xmlns="http://www.w3.org/1999/xhtml">rpc.svcgssd is stopped
+rpc.mountd is stopped
+nfsd is stopped
+rpc.rquotad is stopped</pre>
+To verify that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> service is disabled, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ chkconfig --list nfs</pre>
+If properly configured, the output should look like:
+<pre xmlns="http://www.w3.org/1999/xhtml">nfs            	0:off	1:off	2:off	3:off	4:off	5:off	6:off</pre>
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_service_rpcsvcgssd_disabled" selected="false" severity="low">
+            <title xml:lang="en-US">Disable Secure RPC Server Service (rpcsvcgssd)</title>
+            <description xml:lang="en-US">The rpcsvcgssd service manages RPCSEC GSS contexts required to
+secure protocols that use RPC (most often Kerberos and NFS). The rpcsvcgssd
+service is the server-side of RPCSEC GSS. If the system does not require secure
+RPC then this service should be disabled.
+
+    The <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service can be disabled with the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># systemctl disable rpcsvcgssd.service</xhtml:pre>
+</description>
+            <rationale xml:lang="en-US">Unnecessary services should be disabled to decrease the attack surface of the system.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="the service is running" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+
+    To check that the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service is disabled in system boot configuration, run the following command:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list</xhtml:pre>
+    Output should indicate the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> service has either not been installed,
+    or has been disabled at all runlevels, as shown in the example below:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig <xhtml:code>rpcsvcgssd</xhtml:code> --list
+<xhtml:code>rpcsvcgssd</xhtml:code>       0:off   1:off   2:off   3:off   4:off   5:off   6:off</xhtml:pre>
+
+    Run the following command to verify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd</xhtml:code> is disabled through current runtime configuration:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"># service rpcsvcgssd status</xhtml:pre>
+
+    If the service is disabled the command will return the following output:
+    <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">rpcsvcgssd is stopped</xhtml:pre>
+            </check-content>
+            </check>
+          </Rule>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems">
+          <title xml:lang="en-US">Mount Remote Filesystems with Restrictive Options</title>
+          <description xml:lang="en-US">Edit the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code>. For each filesystem whose type
+(column 3) is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nfs4</xhtml:code>, add the text
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,nodev,nosuid</xhtml:code> to the list of mount options in column 4. If
+appropriate, also add <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">,noexec</xhtml:code>.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+See the section titled "Restrict Partition Mount Options" for a description of
+the effects of these options. In general, execution of files mounted via NFS
+should be considered risky because of the possibility that an adversary could
+intercept the request and substitute a malicious file. Allowing setuid files to
+be executed from remote servers is particularly risky, both for this reason and
+because it requires the clients to extend root-level trust to the NFS
+server.</description>
+          <Rule id="xccdf_org.ssgproject.content_rule_use_nodev_option_on_nfs_mounts" selected="false" severity="medium">
+            <title xml:lang="en-US">Mount Remote Filesystems with nodev</title>
+            <description xml:lang="en-US">
+
+	Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option to the fourth column of
+	<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
+	any NFS mounts.
+
+            </description>
+            <rationale xml:lang="en-US">Legitimate device files should only exist in the /dev directory. NFS mounts
+should not present device files to users.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> option is configured for all NFS mounts, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ mount  | grep nfs</pre>
+All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nodev</xhtml:code> setting in parentheses.  This is not applicable if NFS is
+not implemented.
+</check-content>
+            </check>
+          </Rule>
+          <Rule id="xccdf_org.ssgproject.content_rule_use_nosuid_option_on_nfs_mounts" selected="false" severity="medium">
+            <title xml:lang="en-US">Mount Remote Filesystems with nosuid</title>
+            <description xml:lang="en-US">
+
+	Add the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option to the fourth column of
+	<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/fstab</xhtml:code> for the line which controls mounting of
+	any NFS mounts.
+
+            </description>
+            <rationale xml:lang="en-US">NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables
+should be installed to their default location on the local filesystem.</rationale>
+            <check system="ocil-transitional">
+              <check-export export-name="the setting does not show" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+              <check-content>
+To verify the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> option is configured for all NFS mounts, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml">$ mount  | grep nfs</pre>
+All NFS mounts should show the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">nosuid</xhtml:code> setting in parentheses.  This is not applicable if NFS is
+not implemented.
+</check-content>
+            </check>
+          </Rule>
+        </Group>
+      </Group>
+      <Group id="xccdf_org.ssgproject.content_group_nfs_configuring_servers">
+        <title xml:lang="en-US">Configure NFS Servers</title>
+        <description xml:lang="en-US">The steps in this section are appropriate for machines which operate as NFS servers.</description>
+        <Group id="xccdf_org.ssgproject.content_group_configure_exports_restrictively">
+          <title xml:lang="en-US">Configure the Exports File Restrictively</title>
+          <description xml:lang="en-US">Linux's NFS implementation uses the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> to control what filesystems
+and directories may be accessed via NFS. (See the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports(5)</xhtml:code> manpage for more information about the
+format of this file.)
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The syntax of the <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">exports</xhtml:code> file is not necessarily checked fully on reload, and syntax errors
+can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
+the file.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+The syntax of each line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> is:
+<pre xmlns="http://www.w3.org/1999/xhtml">/DIR	host1(opt1,opt2) host2(opt3)</pre>
+where <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/DIR</xhtml:code> is a directory or filesystem to export, <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">hostN</xhtml:code> is an IP address, netblock,
+hostname, domain, or netgroup to which to export, and <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">optN</xhtml:code> is an option.
+</description>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">
+          <title xml:lang="en-US">Use Access Lists to Enforce Authorization Restrictions</title>
+          <description xml:lang="en-US">When configuring NFS exports, ensure that each export line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains
+a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
+then that export is available to any remote host which requests it. All lines of the exports file should
+specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
+unknown or remote hosts will be denied.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Authorized hosts can be specified in several different formats:
+<ul xmlns="http://www.w3.org/1999/xhtml"><li>Name or alias that is recognized by the resolver</li><li>Fully qualified domain name</li><li>IP address</li><li>IP subnets in the format <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/netmask</xhtml:code> or <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">address/CIDR</xhtml:code></li></ul>
+</description>
+        </Group>
+        <Group id="xccdf_org.ssgproject.content_group_export_filesystems_read_only">
+          <title xml:lang="en-US">Export Filesystems Read-Only if Possible</title>
+          <description xml:lang="en-US">If a filesystem is being exported so that users can view the files in a convenient
+fashion, but there is no need for users to edit those files, exporting the filesystem read-only
+removes an attack vector against the server. The default filesystem export mode is <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">ro</xhtml:code>,
+so do not specify <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">rw</xhtml:code> without a good reason.
+</description>
+        </Group>
+        <Rule id="xccdf_org.ssgproject.content_rule_use_root_squashing_all_exports" selected="false" severity="low">
+          <title xml:lang="en-US">Use Root-Squashing on All Exports</title>
+          <description xml:lang="en-US">If a filesystem is exported using root squashing, requests from root on the client
+are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
+protection against remote abuse of an NFS server. Root squashing is enabled by default, and
+should not be disabled.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+Ensure that no line in <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">no_root_squash</xhtml:code>.
+</description>
+          <rationale xml:lang="en-US">If the NFS server allows root access to local file systems from remote hosts, this
+access could be used to compromise the system.
+</rationale>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_restrict_nfs_clients_to_privileged_ports" selected="false" severity="low">
+          <title xml:lang="en-US">Restrict NFS Clients to Privileged Ports</title>
+          <description xml:lang="en-US">By default, the server NFS implementation requires that all client requests be made
+from ports less than 1024. If your organization has control over machines connected to its
+network, and if NFS requests are prohibited at the border firewall, this offers some protection
+against malicious requests from unprivileged users. Therefore, the default should not be changed.
+<br xmlns="http://www.w3.org/1999/xhtml"/><br xmlns="http://www.w3.org/1999/xhtml"/>
+To ensure that the default has not been changed, ensure no line in
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code> contains the option <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure</xhtml:code>.
+</description>
+          <rationale xml:lang="en-US">Allowing client requests to be made from ports higher than 1024 could allow a unprivileged
+user to initiate an NFS connection. If the unprivileged user account has been compromised, an
+attacker could gain access to data on the NFS server.</rationale>
+        </Rule>
+        <Rule id="xccdf_org.ssgproject.content_rule_no_insecure_locks_exports" selected="false" severity="medium">
+          <title xml:lang="en-US">Ensure Insecure File Locking is Not Allowed</title>
+          <description xml:lang="en-US">By default the NFS server requires secure file-lock requests,
+which require credentials from the client in order to lock a file. Most NFS
+clients send credentials with file lock requests, however, there are a few
+clients that do not send credentials when requesting a file-lock, allowing the
+client to only be able to lock world-readable files. To get around this, the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option can be used so these clients can access the
+desired export. This poses a security risk by potentially allowing the client
+access to data for which it does not have authorization.
+Remove any instances of the
+<xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">insecure_locks</xhtml:code> option from the file <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">/etc/exports</xhtml:code>.
+</description>
+          <reference href="http://iase.disa.mil/cci/index.html">764</reference>
+          <rationale xml:lang="en-US">Allowing insecure file locking could allow for sensitive data to be
+viewed or edited by an unauthorized user.
+</rationale>
+          <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+            <check-content-ref name="oval:ssg:def:196" href="ssg-fedora-oval.xml"/>
+          </check>
+          <check system="ocil-transitional">
+            <check-export export-name="there is output" value-id="xccdf_org.ssgproject.content_value_conditional_clause"/>
+            <check-content>
+To verify insecure file locking has been disabled, run the following command:
+<pre xmlns="http://www.w3.org/1999/xhtml"># grep insecure_locks /etc/exports</pre>
+</check-content>
+          </check>
+        </Rule>
+      </Group>
+    </Group>
   </Group>
 </Benchmark>