Attachment 20048 Details for Bug 56820 – Файл sds.xml

Файл sds.xml

sds.xml (text/xml), 1.89 MB, created by Иванов Александр Владимирович on 2025-11-12 09:32:10 MSK

(hide)

Description:

Filename:

MIME Type:

Creator: Иванов Александр Владимирович

Created: 2025-11-12 09:32:10 MSK

Size: 1.89 MB

patch

obsolete

><?xml version="1.0" encoding="utf-8"?>
><ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_scap-fedora14-xccdf.xml" schematron-version="1.2">
>  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_scap-fedora14-xccdf.xml" scap-version="1.2" use-case="OTHER" timestamp="2012-11-01T12:22:58">
>    <ds:checklists>
>      <ds:component-ref id="scap_org.open-scap_cref_scap-fedora14-xccdf.xml" xlink:href="#scap_org.open-scap_comp_scap-fedora14-xccdf.xml">
>        <cat:catalog>
>          <cat:uri name="scap-fedora14-oval.xml" uri="#scap_org.open-scap_cref_scap-fedora14-oval.xml"/>
>        </cat:catalog>
>      </ds:component-ref>
>    </ds:checklists>
>    <ds:checks>
>      <ds:component-ref id="scap_org.open-scap_cref_scap-fedora14-oval.xml" xlink:href="#scap_org.open-scap_comp_scap-fedora14-oval.xml"/>
>    </ds:checks>
>  </ds:data-stream>
>  <ds:component id="scap_org.open-scap_comp_scap-fedora14-xccdf.xml" timestamp="2012-07-20T12:22:58">
>    <xccdf:Benchmark xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_cdf_benchmark_scap-fedora14-xccdf.xml" resolved="1" style="SCAP_1.2" xml:lang="en" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 http://scap.nist.gov/schema/xccdf/1.2/xccdf_1.2.xsd http://cpe.mitre.org/dictionary/2.0 http://scap.nist.gov/schema/cpe/2.3/cpe-dictionary_2.3.xsd">
>      <xccdf:status date="2011-10-12">draft</xccdf:status>
>      <xccdf:title>Example of SCAP Security Guidance</xccdf:title>
>      <xccdf:description>This example security guidance has been created to demonstrate SCAP functionality
>on Linux.</xccdf:description>
>      <xccdf:version>0.1</xccdf:version>
>      <xccdf:model system="urn:xccdf:scoring:default"/>
>      <xccdf:model system="urn:xccdf:scoring:flat"/>
>      
>      
>      
>      
>      
>      
>      
>      
>      <xccdf:Profile abstract="false" id="xccdf_cdf_profile_F14-Default">
>        <xccdf:title xml:lang="en">Default install settings</xccdf:title>
>        <xccdf:description xml:lang="en">This profile is an example policy that simply checks if some of Fedora 14 default
>install settings have been modified. It is not comprehensive nor checks security hardening. It is just for testing
>purposes.</xccdf:description>
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.1.1.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.1.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.3.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.4.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.2.3.6.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.3.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.3.1.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.1.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.1.2.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.1.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.1.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.e" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.f" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.2.4.g" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.d" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.e" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.f" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.g" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.h" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.i" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.j" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.k" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.1.l" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.3.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.4.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.4.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.5.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.5.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.3.6.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.2.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.3.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.3.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.2.4.4.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.1.d" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.5.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.5.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.6.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.7.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.7.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.7.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.7.d" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.8.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.8.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.1.8.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.4.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.5.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.3.6.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.1.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.4.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.4.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.4.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.2.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.2.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.2.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.5.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.6.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.6.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.6.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.6.1.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.5.6.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.7.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.3.7.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.2.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.2.d" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.3.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.4.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.e" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.f" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.g" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.h" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.i" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.j" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.k" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.1.2.l" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.2.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.2.2.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.2.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.1.2.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.1.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.e" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.f" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.3.2.5.g" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.5.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.5.1.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.5.3.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.5.3.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.7.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.7.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.7.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.5.7.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.2.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.2.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.1.6.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.6.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.7.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.8.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.9.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.10.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.11.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.12.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.13.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-2.6.2.4.14.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.1.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.2.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.1.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.1.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.3.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.4.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.2.5.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.6.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.7.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.8.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.9.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.9.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.9.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.10.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.11.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.12.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.12.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.13.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.13.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.14.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.14.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.14.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.15.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.15.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.3.15.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.1.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.1.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.1.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.2.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.2.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.2.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.d" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.e" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.f" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.g" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.h" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.i" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.j" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.k" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.l" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.m" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.n" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.3.o" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.4.a" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.4.b" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.2.4.c" selected="true"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.3.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.4.4.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.1.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.1.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.1.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.1.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.3.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.4.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.6.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.7.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.8.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.9.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.5.2.10.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.6.1.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.6.1.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.6.1.3.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.6.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.1.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.4.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.5.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.5.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.5.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.5.d" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.7.2.5.e" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.2.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.3.1.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.3.1.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.8.4.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.3.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.d" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.e" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.f" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.4.g" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.9.4.5.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.2.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.2.2.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.2.2.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.3.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.10.3.2.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.11.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.12.2.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.12.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.1.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.1.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.1.1.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.1.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.d" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.e" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.2.3.f" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.3.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.3.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.3.2.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.3.2.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.4.1.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.4.1.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.13.4.1.4.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.3.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.3.2.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.3.2.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.14.4.5.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.3.2.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.3.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.15.3.4.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.3.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.3.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.5.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.5.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.5.1.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.5.1.d" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.16.5.1.e" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.1.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.1.c" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.1.d" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.2.4.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.17.2.3.b" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.18.1.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.18.2.3.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.18.2.10.a" selected="false"/>
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.18.2.11.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.1.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.e" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.f" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.g" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.2.h" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.3.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.3.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.3.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.3.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.b" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.c" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.d" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.e" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.f" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.g" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.h" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.i" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.19.2.5.j" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.20.1.a" selected="false"/>
>        
>        
>        <xccdf:select idref="xccdf_cdf_rule_rule-3.20.1.b" selected="false"/>
>        
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.2.3.1.i" selector="000"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.2.3.1.j" selector="644"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.2.3.1.k" selector="000"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.2.3.1.l" selector="644"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.2.4.1.a" selector="022"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.1.7.a" selector="5"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.1.7.b" selector="1_day"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.1.7.c" selector="60_days"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.1.7.d" selector="7_days"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.retry" selector="3"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.minlen" selector="14"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.dcredit" selector="2"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.ucredit" selector="2"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.ocredit" selector="2"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.lcredit" selector="2"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.1.1.a.difok" selector="3"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.2.a.deny" selector="3"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.2.a.lock_time" selector="3"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.2.a.unlock_time" selector="none"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.4.a" selector="usergroup"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.4.b" selector="4710"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.5.a" selector="SHA-512"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.3.6.a" selector="5"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.4.4" selector="002"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.5.2.a" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.5.2.b" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.5.2.c" selector="600"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.5.5" selector="15_minutes"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.3.7" selector="Empty_text"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.4.2.c" selector="enforcing"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.4.2.d" selector="targeted"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.a" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.b" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.c" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.d" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.e" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.f" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.g" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.h" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.i" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.j" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.k" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.3.2.1.b" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.3.2.1.c" selector="disabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.5.1.2.l" selector="enabled"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.6.1.2.a" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.6.1.2.b" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-2.6.1.2.c" selector="600"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.primary.group" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.primary.user" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.primary.permissions" selector="644"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.anacrontab.group" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.anacrontab.user" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.anacrontab.permissions" selector="644"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions" selector="755"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.5.2.3.a" selector="5_minutes"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.5.2.3.b" selector="0"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.spool.directory.group" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.spool.directory.user" selector="root"/>
>        
>        <xccdf:refine-value idref="xccdf_cdf_value_var-3.4.2.spool.directory.permissions" selector="700"/>
>        
>      </xccdf:Profile>
>      
>      
>      
>      
>      
>      
>      
>      
>      <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1">
>        <xccdf:title xml:lang="en">Introduction</xccdf:title>
>        <xccdf:description xml:lang="en">
>      The purpose of this guide is to provide security configuration
>      recommendations for Fedora Linux. Recommended settings for the basic 
>      operating system are provided, as well as for many commonly-used services 
>      that the system can host in a network environment.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      The guide is intended for system administrators. Readers are
>      assumed to possess basic system administration skills for Unix-like systems, as well as some
>      familiarity with Red Hat's documentation and administration conventions. Some instructions
>      within this guide are complex. All directions should be followed completely and with
>      understanding of their effects in order to avoid serious adverse effects on the system and its
>      security.
>    </xccdf:description>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1">
>          <xccdf:title xml:lang="en">General Principles</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The following general principles motivate much of the advice in
>        this guide and should also influence any configuration decisions that are not explicitly
>        covered.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1.1" weight="1.0">
>            <xccdf:title xml:lang="en">Encrypt Transmitted Data Whenever Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Data transmitted over a network, whether wired or wireless, is
>          susceptible to passive monitoring. Whenever practical solutions for encrypting such data
>          exist, they should be applied. Even if data is expected to be transmitted only over a
>          local network, it should still be encrypted. Encrypting authentication data, such as
>          passwords, is particularly important. Networks of machines can and should be
>          configured so that no unencrypted authentication data is ever transmitted between
>          machines.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1.2">
>            <xccdf:title xml:lang="en">Minimize Software to Minimize Vulnerability</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The simplest way to avoid vulnerabilities in software is to avoid
>          installing that software. The RPM Package Manager allows for careful management of the 
>          set of software packages installed on a system. Installed software contributes to system 
>          vulnerability in several ways. Packages that include setuid programs may provide local 
>          attackers a potential path to privilege escalation. Packages that include network services 
>          may give this opportunity to network-based attackers. Packages that include programs 
>          which are predictably executed by local users (e.g. after graphical login) may provide 
>          opportunities for trojan horses or other attack code to be run undetected. The number of 
>          software packages installed on a system can almost always be significantly pruned to include only 
>          the software for which there is an environmental or operational need.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1.3">
>            <xccdf:title xml:lang="en">Run Different Network Services on Separate Systems</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Whenever possible, a server should be dedicated to serving
>          exactly one network service. This limits the number of other services that can be
>          compromised in the event that an attacker is able to successfully exploit a software flaw
>          in one network service.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1.4">
>            <xccdf:title xml:lang="en">Configure Security Tools to Improve System Robustness</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Several tools exist which can be effectively used to improve a
>          system's resistance to and detection of unknown attacks. These tools can improve
>          robustness against attack at the cost of relatively little configuration effort. In
>          particular, this guide recommends and discusses the use of Iptables for host-based
>          firewalling, SELinux for protection against vulnerable services, and a logging and
>          auditing infrastructure for detection of problems.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.1.5">
>            <xccdf:title xml:lang="en">Least Privilege</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Grant the least privilege necessary for user accounts and 
>          software to perform tasks. For example, do not allow users except those that need 
>          administrator access to use sudo. Another example is to limit logins on server
>          systems to only those administrators who need to log into them in order to perform 
>          administration tasks. Using SELinux also follows the principle of least privilege: 
>          SELinux policy can conï¬ne software to perform only actions on the system that are 
>          speciï¬cally allowed. This can be far more restrictive than the actions permissible 
>          by the traditional Unix permissions model.</xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2">
>          <xccdf:title xml:lang="en">How to Use This Guide</xccdf:title>
>          <xccdf:description xml:lang="en">Readers should heed the following points when using the guide.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2.1">
>            <xccdf:title xml:lang="en">Read Sections Completely and in Order</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Each section may build on information and recommendations
>          discussed in prior sections. Each section should be read and understood completely;
>          instructions should never be blindly applied. Relevant discussion will occur after
>          instructions for an action. The system-level configuration guidance in Chapter 2 must be
>          applied to all machines. The guidance for individual services in Chapter 3 must be
>          considered for all machines as well: apply the guidance if the machine is either a server
>          or a client for that service, and ensure that the service is disabled according to the
>          instructions provided if the machine is neither a server nor a client.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2.2">
>            <xccdf:title xml:lang="en">Test in Non-Production Environment</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This guidance should always be tested in a non-production
>          environment before deployment. This test environment should simulate the setup in which
>          the system will be deployed as closely as possible.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2.3">
>            <xccdf:title xml:lang="en">Root Shell Environment Assumed</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Most of the actions listed in this document are written with the
>          assumption that they will be executed by the root user running the /bin/bash shell. Any
>          commands preceded with a hash mark (#) assume that the administrator will execute the
>          commands as root, i.e. apply the command via sudo whenever possible, or use su to gain
>          root privileges if sudo cannot be used.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2.4">
>            <xccdf:title xml:lang="en">Formatting Conventions</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Commands intended for shell execution, as well as configuration
>          file text, are featured in a monospace font. Italics are used to indicate instances where
>          the system administrator must substitute the appropriate information into a command or
>          configuration file.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-1.2.5">
>            <xccdf:title xml:lang="en">Reboot Required</xccdf:title>
>            <xccdf:description xml:lang="en">
>          A system reboot is implicitly required after some actions in
>          order to complete the reconfiguration of the system. In many cases, the changes will not
>          take effect until a reboot is performed. In order to ensure that changes are applied
>          properly and to test functionality, always reboot the system after applying a set of
>          recommendations from this guide.</xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>      </xccdf:Group>
>      <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2">
>        <xccdf:title xml:lang="en">System-wide Configuration</xccdf:title>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1">
>          <xccdf:title xml:lang="en">Installing and Maintaining Software</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The following sections contain information on security-relevant
>        choices during the initial operating system installation process and the setup of software
>        updates.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1">
>            <xccdf:title xml:lang="en">Initial Installation Recommendations</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The recommendations here apply to a clean installation of the
>          system, where any previous installations are wiped out. The sections presented here are in
>          the same order that the installer presents, but only installation choices with security
>          implications are covered. Many of the configuration choices presented here can also be
>          applied after the system is installed. The choices can also be automatically applied via 
>          Kickstart ï¬les.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1">
>              <xccdf:title xml:lang="en">Disk Partitioning</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Some system directories should be placed on their own partitions 
>            (or logical volumes). This allows for better separation and protection of data.
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The installerâs default partitioning scheme creates separate partitions (or logical volumes) 
>            for /, /boot, and swap.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>If starting with any of the default layouts, check the box to âReview and modify 
>            partitioning.â This allows for the easy creation of additional logical volumes inside 
>            the volume group already created, though it may require making /âs logical volume smaller 
>            to create space. In general, using logical volumes is preferable to using partitions 
>            because they can be more easily adjusted later.</xhtml:li><xhtml:li>If creating a custom layout, create the partitions mentioned in the previous paragraph 
>                (which the installer will require anyway), as well as separate ones described in the 
>                following sections.</xhtml:li></xhtml:ul>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If a system has already been installed, and the default partitioning scheme was 
>            used, it is possible but nontrivial to modify it to create separate logical volumes for the 
>            directories listed above. The Logical Volume Manager (LVM) makes this possible. See the LVM 
>            HOWTO at http://tldp.org/HOWTO/LVM-HOWTO/ for more detailed information on LVM.
>          </xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1.1">
>                <xccdf:title xml:lang="en">Create Separate Partition or Logical Volume for /tmp</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The /tmp directory is a world-writable directory used for 
>              temporary ï¬le storage. Ensure that it has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Because software may need to use /tmp to temporarily store large ï¬les, ensure 
>              that it is of adequate size.  For a modern, general-purpose system, 10GB should be adequate. Smaller or larger sizes could be used, depending on
>              the availability of space on the drive and the systemâs operating requirements
>            </xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.1.1.1.1.b" operator="equals" type="string">
>                  <xccdf:title>Minimum size for /tmp</xccdf:title>
>                  <xccdf:question xml:lang="en">Choose minimum size of /tmp</xccdf:question>
>                  <xccdf:value>2G</xccdf:value>
>                  <xccdf:value selector="125M">125M</xccdf:value>
>                  <xccdf:value selector="500M">500M</xccdf:value>
>                  <xccdf:value selector="2G">2G</xccdf:value>
>                  <xccdf:value selector="10G">10G</xccdf:value>
>                  <xccdf:value selector="40G">40G</xccdf:value>
>                  <xccdf:match>^[\d]+[KMGkmg]?$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.1.a" selected="false" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /tmp has its own partition or logical volume</xccdf:title>
>                  <xccdf:description xml:lang="en">The /tmp directory is a world-writable directory used for temporary ï¬le storage.  Ensure that it has its own partition or logical volume.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20000"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.1.b" selected="false" weight="2.0">
>                  <xccdf:title xml:lang="en">Ensure that /tmp is of adequate size</xccdf:title>
>                  <xccdf:description xml:lang="en">Because software may need to use /tmp to temporarily store large ï¬les, ensure that it is of adequate size.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20001"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1.2">
>                <xccdf:title xml:lang="en">Create Separate Partition or Logical Volume for /var</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The /var directory is used by daemons and other system 
>              services to store frequently-changing data. It is not uncommon for the /var directory 
>              to contain world-writable directories, installed by other software packages.
>              Ensure that /var has its own partition or logical volume.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Because the yum package manager and other software uses /var to temporarily store 
>              large ï¬les, ensure that it is of adequate size. For a modern, general-purpose system, 
>              10GB should be adequate.
>            </xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.1.1.1.2.b" operator="equals" type="string">
>                  <xccdf:title>Minimum size of /var</xccdf:title>
>                  <xccdf:description>Choose minimum size of /var</xccdf:description>
>                  <xccdf:question xml:lang="en">Choose minimum size of /var</xccdf:question>
>                  <xccdf:value>5G</xccdf:value>
>                  <xccdf:value selector="500k">500K</xccdf:value>
>                  <xccdf:value selector="1G">1G</xccdf:value>
>                  <xccdf:value selector="5G">5G</xccdf:value>
>                  <xccdf:value selector="10G">10G</xccdf:value>
>                  <xccdf:value selector="15G">15G</xccdf:value>
>                  <xccdf:value selector="20G">20G</xccdf:value>
>                  <xccdf:match>^[\d]+[KMGkmg]?$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.2.a" selected="false" severity="low" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /var has its own partition or logical volume</xccdf:title>
>                  <xccdf:description xml:lang="en">The /var directory is used by daemons and other system services to store frequently-changing data. It is not uncommon for the /var directory to contain world-writable directories, installed by other software packages. Ensure that /var has its own partition or logical volume.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20002"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.2.b" selected="false" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /var is of adequate size</xccdf:title>
>                  <xccdf:description xml:lang="en">Because the yum package manager and other software uses /var to temporarily store large ï¬les, ensure that it is of adequate size. For a modern, general-purpose system, 10GB should be adequate.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20003" value-id="xccdf_cdf_value_var-2.1.1.1.2.b"/>
>                    
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20003"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1.3">
>                <xccdf:title xml:lang="en">Create Separate Partition or Logical Volume for /var/log</xccdf:title>
>                <xccdf:description xml:lang="en">
>              System logs are stored in the /var/log directory.  
>              Ensure that it has its own partition or logical volume.
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              See 2.6 for more information about logging and auditing.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.3.a" selected="false" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /var/log has its own partition or logical volume</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                System logs are stored in the /var/log directory.  
>                Ensure that it has its own partition or logical volume.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20004"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1.4">
>                <xccdf:title xml:lang="en">Create Separate Partition or Logical Volume for /var/log/audit</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Audit logs are stored in the /var/log/audit directory. 
>              Ensure that it has its own partition or logical volume.  Make absolutely certain 
>              that it is large enough to store all audit logs that will be created by the auditing
>              daemon.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              See 2.6.2.2 for discussion on deciding on an appropriate size for the volume.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.4.a" selected="false" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /var/log/audit has its own partition or logical volume</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                Audit logs are stored in the /var/log/audit directory.  
>                Ensure that it has its own partition or logical volume.  
>                Make absolutely certain that it is large enough to store 
>                all audit logs that will be created by the auditing daemon.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20005"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.1.5">
>                <xccdf:title xml:lang="en">Create Separate Partition or Logical Volume for /home if Using Local Home Directories</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If user home directories will be stored locally, create a separate 
>              partition for /home. If /home will be mounted from another system such as an NFS server, then 
>              creating a separate partition is not necessary at this time, and the mountpoint can 
>              instead be conï¬gured later.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.1.1.5.a" selected="false" severity="low" weight="10.0">
>                  <xccdf:title xml:lang="en">Ensure that /home has its own partition or logical volume</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                If user home directories will be stored locally, create a separate partition for /home. 
>                If /home will be mounted from another system such as an NFS server, then creating a 
>                separate partition is not necessary at this time, and the mountpoint can instead be 
>                conï¬gured later.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20006"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.2">
>              <xccdf:title xml:lang="en">Boot Loader Configuration</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Check the box to "Use a boot loader password" and create a
>            password. Once this password is set, anyone who wishes to change the boot loader
>            configuration will need to enter it. More information is available in Section
>            2.3.5.2.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Assigning a boot loader password prevents a local user
>            with physical access from altering the boot loader configuration at system startup.
>          </xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.3">
>              <xccdf:title xml:lang="en">Network Devices</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default network device configuration uses DHCP, which is
>            not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Unless use of DHCP is absolutely necessary, click
>            the "Edit" button and:
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>
>              Uncheck "Use Dynamic IP configuration
>              (DHCP)".Uncheck "Enable IPv4 Support" if the system does not require IPv4. (This is
>              uncommon.)
>              </xhtml:li><xhtml:li>
>              Uncheck "Enable IPv6 Support" if the system does not require
>              IPv6.
>              </xhtml:li><xhtml:li>
>              Enter appropriate IPv4 and IPv6 addresses and prefixes as
>              required.
>              </xhtml:li></xhtml:ul>
>            With the DHCP setting disabled, the hostname, gateway, and DNS
>            servers should then be assigned on the main screen.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Sections 3.9.1
>            and 3.9.2 contain more information on network configuration and the use of DHCP.
>          </xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.4">
>              <xccdf:title xml:lang="en">Root Password</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The security of the entire system depends on the strength of
>            the root password. The password should be at least 12 characters long, and should
>            include a mix of capitalized and lowercase letters, special characters, and numbers. It
>            should also not be based on any dictionary word.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.5">
>              <xccdf:title xml:lang="en">Software Packages</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Uncheck all package groups, including the package groups
>            "Software Development" and "Web Server", unless there is a specific requirement to
>            install software using the system installer. If the machine will be used as a web
>            server, it is preferable to manually install the necessary RPMs instead of installing
>            the full "Web Server" package group. See Section 3.16 for installation and configuration
>            details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Use the "Customize now" radio box to prune package groups
>            as much as possible. This brings up a two-column view of categories and package groups.
>            If appropriate, uncheck "X Window System" in the "Base System" category to avoid
>            installing X entirely. Any other package groups not necessary for system operation
>            should also be unchecked.
>          </xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.1.6">
>              <xccdf:title xml:lang="en">First-boot Configuration</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The system presents more configuration options during the first
>            boot after installation. For the screens listed, implement the security-related
>              recommendations:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>
>              Firewall - Leave set to
>              'Enabled.' Only check the 'Trusted Services' that this system needs to serve. Uncheck
>              the default selection of SSH if the system does not need to serve
>              SSH.
>              </xhtml:li><xhtml:li>
>              SELinux - Leave SELinux set to 'Enforcing' mode.
>              </xhtml:li><xhtml:li>
>              Kdump -
>              Leave Kdump off unless the feature is required, such as for kernel development and
>              testing.
>              </xhtml:li><xhtml:li>
>              Set Up Software Updates - If the system is connected to the
>              Internet now, click 'Yes, I'd like to register now.' This will require a connection to
>              either the Red Hat Network servers or their proxies or satellites. This can also be
>              configured later as described in Section 2.1.2.1.
>              </xhtml:li><xhtml:li>
>              Create User - If the
>              system will require a local user account, it can be created here. Even if the system
>              will be using a network-wide authentication system as described in Section 2.3.6, do
>              not click on the 'Use Network Login...' button. Manually applying configuration later
>              is preferable.
>              </xhtml:li></xhtml:ul>
>          </xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2">
>            <xccdf:title xml:lang="en">Security Updates</xccdf:title>
>            <xccdf:description xml:lang="en">
>          As security vulnerabilities are discovered, the affected software must be updated in order 
>          to limit any potential security risks. If the software is part of a package within a Fedora 
>          distribution that is currently supported, Fedora is committed to releasing updated packages 
>          that fix the vulnerability as soon as is possible. Often, announcements about a given 
>          security exploit are accompanied with a patch (or source code that fixes the problem). 
>          This patch is then applied to the Fedora package and tested and released as an errata update. 
>          However, if an announcement does not include a patch, a developer first works with the maintainer 
>          of the software to fix the problem. Once the problem is fixed, the package is tested 
>          and released as an errata update.
>        </xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.1">
>              <xccdf:title xml:lang="en">Updating Software</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The yum command line tool is used to install and update software
>            packages. The system also provides package management service called PackageKit
>            that allows the session users to manage packages in a secure way. There are several
>            graphical utilities designed for installing, updating and removing packages on your 
>            system that use PackageKit API. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is recommended to use these mechanisms to keep systems up to date with the latest
>            security patches.
>          </xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.1.1">
>                <xccdf:title xml:lang="en">Ensure Fedora GPG Key is Installed</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To ensure that the system can cryptographically verify update packages run the following command to verify 
>              that the system has the Fedora GPG properly installed:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The command should return the string:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gpg(Fedora (14) &lt;fedora@fedoraproject.org&gt;)</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.1.1.a" selected="false" weight="10">
>                  <xccdf:title xml:lang="en">Ensure Fedora GPG Key is Installed</xccdf:title>
>                  <xccdf:description>The GPG key should be installed.</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200065"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3">
>              <xccdf:title xml:lang="en">Obtain Software Package Updates with yum</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The yum update utility can be run by hand from the command
>            line, called through one of the provided front-end tools, or configured to run
>            automatically at specified intervals.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3.2">
>                <xccdf:title xml:lang="en">Configure Automatic Update Retrieval and Installation with Cron</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The yum-updatesd service is not mature enough for an
>              enterprise environment, and the service may introduce unnecessary overhead. When
>              possible, replace this service with a cron job that calls yum
>              directly.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Create the file yum.cron, make it executable, and place it in
>              /etc/cron.daily:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#!/bin/sh<xhtml:br/>
>              <xhtml:br/>
>              /usr/bin/yum -R 120 -e 0 -d 0 -y update yum
>              <xhtml:br/>
>              /usr/bin/yum -R 10 -e 0 -d 0 -y update<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This particular script instructs yum to update any
>              packages it finds. Placing the script in /etc/cron.daily ensures its daily execution.
>              To only apply updates once a week, place the script in /etc/cron.weekly instead.
>            </xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.1.2.3.2.b" operator="equals" type="string">
>                  <xccdf:title>Schedule yum update using cron</xccdf:title>
>                  <xccdf:description>Enter frequency of with which to invoke yum update</xccdf:description>
>                  <xccdf:question xml:lang="en">Select frequency of yum update</xccdf:question>
>                  <xccdf:value>daily</xccdf:value>
>                  <xccdf:value selector="hourly">hourly</xccdf:value>
>                  <xccdf:value selector="daily">daily</xccdf:value>
>                  <xccdf:value selector="weekly">weekly</xccdf:value>
>                  <xccdf:value selector="monthly">monthly</xccdf:value>
>                  <xccdf:match>hourly|daily|weekly|monthly</xccdf:match>
>                  <xccdf:choices mustMatch="1">
>                    <xccdf:choice>hourly</xccdf:choice>
>                    <xccdf:choice>daily</xccdf:choice>
>                    <xccdf:choice>weekly</xccdf:choice>
>                    <xccdf:choice>monthly</xccdf:choice>
>                  </xccdf:choices>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.2.a" selected="false" severity="low" weight="10.0">
>                  <xccdf:title>yum-updatesd service should be disabled</xccdf:title>
>                  <xccdf:description>The yum-updatesd service should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4218-4</xccdf:ident>
>                  <xccdf:fix># chkconfig yum-updatesd off</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20008"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.2.b" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Automatic Update Retrieval should be scheduled with Cron</xccdf:title>
>                  <xccdf:description>Place the yum.cron script somewhere in /etc/cron.*/</xccdf:description>
>                  <xccdf:fix>echo -e "/usr/bin/yum -R 120 -e 0 -d 0 -y update yum\n/usr/bin/yum -R 10 -e 0 -d 0 -y update" &gt; /etc/cron.weekly/yum.cron</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14.dcb:var:20009" value-id="xccdf_cdf_value_var-2.1.2.3.2.b"/>
>                    
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20009"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3.3">
>                <xccdf:title xml:lang="en">Ensure Package Signature Checking is Globally Activated</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The gpgcheck option should be used to ensure that checking of an RPM packageâs signature always occurs prior
>              to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To force yum to check package signatures before installing them, ensure that the following line appears in
>              /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gpgcheck=1
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.3.a" selected="false" weight="10.0">
>                  <xccdf:title>Ensure gpgcheck is Globally Activated</xccdf:title>
>                  <xccdf:description>
>                The gpgcheck option should be used to ensure that checking of an RPM packageâs signature always occurs prior to its installation.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check package signatures before installing them, ensure that the following line appears in /etc/yum.conf in the [main] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                gpgcheck=1</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20010"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3.4">
>                <xccdf:title xml:lang="en">Ensure Package Signature Checking is Not Disabled For Any Repos</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
>              appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gpgcheck=0
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.4.a" selected="false" weight="10.0">
>                  <xccdf:title>Ensure Package Signature Checking is Not Disabled For Any Repos</xccdf:title>
>                  <xccdf:description>
>                To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20011"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3.5">
>                <xccdf:title xml:lang="en">Ensure Repodata Signature Checking is Globally Activated</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior
>              to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the
>              following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              repo_gpgcheck=1
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.5.a" selected="false" weight="10.0">
>                  <xccdf:title>Ensure Repodata Signature Checking is Globally Activated</xccdf:title>
>                  <xccdf:description>
>                The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior to using it.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>To force yum to check the signature on repodata sent by a repository prior to using it, ensure that the following line appears in /etc/yum.conf in the [main] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>repo_gpgcheck=1</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20012"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.2.3.6">
>                <xccdf:title xml:lang="en">Ensure Repodata Signature Checking is Not Disabled For Any Repos</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
>              appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gpgcheck=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: Red Hatâs repositories support signatures on repodata, but some public repositories do not. If a repository
>              does not support signature checking on repodata, then this risk must be weighed against the value of using the
>              repository.
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.2.3.6.a" selected="false" weight="10.0">
>                  <xccdf:title>Ensure Repodata Signature Checking is Not Disabled For Any Repos</xccdf:title>
>                  <xccdf:description>
>                To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>                <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>gpgcheck=0</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20013"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3">
>            <xccdf:title xml:lang="en">Software Integrity Checking</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The AIDE (Advanced Intrusion Detection Environment) software is
>          included with the system to provide software integrity checking. It is designed to be a
>          replacement for the well-known Tripwire integrity checker. Integrity checking cannot
>          <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">prevent</xhtml:em>
>          intrusions into your system, but can detect that they have occurred.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Any integrity checking software should be configured before
>          the system is deployed and able to provides services to users. Ideally, the integrity
>          checking database would be built before the system is connected to any network, though
>          this may prove impractical due to registration and software updates.
>        </xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1">
>              <xccdf:title xml:lang="en">Configure AIDE</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Requirements for software integrity checking should be defined
>            by policy, and this is highly dependent on the environment in which the system will be
>            used. As such, a general strategy for implementing integrity checking is provided, but
>            precise recommendations (such as to check a particular file) cannot be. Documentation
>            for AIDE, including the quick-start on which this advice is based, is available in
>            /usr/share/doc/aide-0.12.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1.1">
>                <xccdf:title xml:lang="en">Install AIDE</xccdf:title>
>                <xccdf:description xml:lang="en">AIDE is not installed by default.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.3.1.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Install AIDE</xccdf:title>
>                  <xccdf:description>The AIDE package should be installed</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4209-3</xccdf:ident>
>                  <xccdf:fix>yum install aide</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20014"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1.2">
>                <xccdf:title xml:lang="en">Customize Configuration File</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Customize /etc/aide.conf to meet your requirements. The
>              default configuration is acceptable for many environments.
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The man page aide.conf(5)
>              provides detailed information about the configuration file format.
>            </xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1.3">
>                <xccdf:title xml:lang="en">Build, Store, and Test Database</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Generate a new database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --init<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              By default, the database will be written to
>              the file /var/lib/aide/aide.db.new.gz. The database, as well as the configuration file
>              /etc/aide.conf and the binary /usr/sbin/aide (or hashes of these files) should be
>              copied and stored in a secure location. Storing these copies or hashes on read-only
>              media may provide further confidence that they will not be
>              altered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Install the newly-generated database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Run a manual check:
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /usr/sbin/aide --check<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If this check produces any unexpected output, investigate.
>            </xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1.4">
>                <xccdf:title xml:lang="en">Implement Periodic Execution of Integrity Checking</xccdf:title>
>                <xccdf:description xml:lang="en">
>              By default, AIDE does not install itself for periodic execution.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Implement checking with whatever frequency is required
>              by your security policy. A once-daily check may be suitable for many environments. For
>              example, to implement a daily execution of AIDE at 4:05am, add the following line to
>              /etc/crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              05 4 * * * root /usr/sbin/aide --check<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              AIDE output may be an indication of an attack against
>              your system, or it may be the result of something innocuous such as an administrator's
>              configuration change or a software update. The steps in Section 2.1.3.1.3 should be
>              repeated when configuration changes or software updates necessitate. This will
>              certainly be necessary after applying guidance later in this guide.
>            </xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.1.3.1.4.a" operator="equals" type="string">
>                  <xccdf:title>Schedule AIDE check using cron</xccdf:title>
>                  <xccdf:description>Frequency with which to run AIDE check</xccdf:description>
>                  <xccdf:question xml:lang="en">Select frequency with which to run AIDE check</xccdf:question>
>                  <xccdf:value>daily</xccdf:value>
>                  <xccdf:value selector="hourly">hourly</xccdf:value>
>                  <xccdf:value selector="daily">daily</xccdf:value>
>                  <xccdf:value selector="weekly">weekly</xccdf:value>
>                  <xccdf:value selector="monthly">monthly</xccdf:value>
>                  <xccdf:match>hourly|daily|weekly|monthly</xccdf:match>
>                  <xccdf:choices mustMatch="1">
>                    <xccdf:choice>hourly</xccdf:choice>
>                    <xccdf:choice>daily</xccdf:choice>
>                    <xccdf:choice>weekly</xccdf:choice>
>                    <xccdf:choice>monthly</xccdf:choice>
>                  </xccdf:choices>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.3.1.4.a" role="full" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Run AIDE periodically</xccdf:title>
>                  <xccdf:description>Setup cron to run AIDE periodically using cron.</xccdf:description>
>                  
>                  <xccdf:fix>echo -e "/usr/sbin/aide --check" &gt; /etc/cron.daily/aide.cron</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20015" value-id="xccdf_cdf_value_var-2.1.3.1.4.a"/>
>                    
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20015"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.1.5">
>                <xccdf:title xml:lang="en">Manually Verify Integrity of AIDE</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Because integrity checking is a means of intrusion detection
>              and not intrusion prevention, it cannot be guaranteed that the AIDE binaries,
>              configuration files, or database have not been tampered with. An attacker could
>              disable or alter these files after a successful intrusion. Because of this, manual and
>              frequent checks on these files is recommended. The safely stored copies (or hashes) of
>              the database, binary, and configuration file were created earlier for this
>              purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Manually verify the integrity of the AIDE binaries,
>              configuration file, and database. Possibilities for doing so include:
>              <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Use sha1sum or md5sum to generate checksums on the
>                files and then visually compare them to those generated from the safely stored
>                versions. This does not, of course, preclude the possibility that such output could
>                also be faked.</xhtml:li><xhtml:li>Mount the stored versions on read-only media and run
>                /bin/diff to verify that there are no differences between the
>                files.</xhtml:li><xhtml:li>Copying the files to another system and performing the hash or file
>                comparisons there may impart additional confidence that the manual verification
>                process is not being interfered with.</xhtml:li></xhtml:ol>
>            </xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.1.3.2">
>              <xccdf:title xml:lang="en">Verify Package Integrity Using RPM</xccdf:title>
>              <xccdf:description xml:lang="en">
>              The RPM package management system includes the ability to 
>              verify the integrity of installed packages by comparing the installed ï¬les with 
>              information about the ï¬les taken from the package metadata stored in the RPM
>              database. Although an attacker could corrupt the RPM database (analogous to 
>              attacking the AIDE database as described above), this check can still reveal 
>              modiï¬cation of important ï¬les.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To determine which ï¬les on the system differ from what is expected by the RPM 
>              database:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              A âcâ in the second column indicates that a ï¬le is a conï¬guration ï¬le (and may be 
>              expected to change). In order to exclude conï¬guration ï¬les from this list, run:
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpm -qVa | awk '$2!="c" {print $0}'<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The man page rpm(8) describes the format of the output. Any ï¬les that do not 
>              match the expected output demand further investigation if the system is being 
>              seriously examined. This check could also be run as a cron job.
>            </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.1.3.2.a" selected="false" weight="10.0">
>                <xccdf:title>Verify Package Integrity Using RPM</xccdf:title>
>                <xccdf:description>Verify the integrity of installed packages by comparing the installed ï¬les with information about the ï¬les taken from the package metadata stored in the RPM database.</xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200155"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2">
>          <xccdf:title xml:lang="en">File Permissions and Masks</xccdf:title>
>          <xccdf:description xml:lang="en">
>        Traditional Unix security relies heavily on file and directory
>        permissions to prevent unauthorized users from reading or modifying files to which they
>        should not have access. Adhere to the principle of least privilege â configure each file,
>        directory, and filesystem to allow only the access needed in order for that file to serve
>        its purpose.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        However, Linux systems contain a large number of files, so
>        it is often prohibitively time-consuming to ensure that every file on a machine has exactly
>        the permissions needed. This section introduces several permission restrictions which are
>        almost always appropriate for system security, and which are easy to test and
>        correct. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Note: Several of the commands in this section search
>        filesystems for files or directories with certain characteristics, and are intended to be
>        run on every local ext2, ext3 and ext4 partition on a given machine. When the variable
>        <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
>        appears in one of the commands below, it means that the command
>        is intended to be run repeatedly, with the name of each local partition substituted for
>        <xhtml:em xmlns:xhtml="http://www.w3.org/1999/xhtml">PART</xhtml:em>
>        in turn.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        The following command prints a
>        list of ext2, ext3 and ext4 partitions on a given machine:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ mount -t ext2,ext3,ext4 | awk '{print $3}'<xhtml:br/></xhtml:code>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        If your site uses a local filesystem type other than ext{234}, you will need to modify 
>        this command.
>      </xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.1">
>            <xccdf:title xml:lang="en">Restrict Partition Mount Options</xccdf:title>
>            <xccdf:description xml:lang="en">
>          System partitions can be mounted with certain options which limit
>          what files on those partitions can do. These options are set in the file /etc/fstab, and
>          can be used to make certain types of malicious behavior more difficult.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.1.1" weight="1.0">
>              <xccdf:title xml:lang="en">Add nodev Option to Non-Root Local Partitions</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The nodev option prevents users from mounting unauthorized
>            devices on any partition which is known not to contain any authorized devices. The root
>            partition typically contains the /dev partition, which is the primary location for
>            authorized devices, so this option should not be set on /. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However, if system programs are being run in chroot jails, this advice may need to be 
>            modified further, since it is often necessary to create device files inside the chroot 
>            directory for use by the restricted program.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.1.1.a" role="full" selected="false" severity="unknown" weight="10.0">
>                <xccdf:title>Add nodev Option to Non-Root Local Partitions</xccdf:title>
>                <xccdf:description>The nodev option should be disabled as appropriate for all non-root partitions.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4249-9</xccdf:ident>
>                <xccdf:fixtext> 
>              Edit the ï¬le /etc/fstab. The important columns for purposes of 
>              this section are column 2 (mount point), column 3 (ï¬lesystem type), and column 4 (mount 
>              options). For any line which satisï¬es all of the conditions:
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The ï¬lesystem type is ext2, ext3 or ext4</xhtml:li><xhtml:li>The mount point is not /</xhtml:li></xhtml:ul>
>              add the text â,nodevâ to the list of mount options in column 4. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20016"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.1.2">
>              <xccdf:title xml:lang="en">Add nodev, nosuid, and noexec Options to Removable Media Partitions</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Users should not be allowed to introduce arbitrary devices or
>            setuid programs to a system. These options are used to prevent that. In addition, while
>            users are usually allowed to add executable programs to a system, the noexec option
>            prevents code from being executed directly from the media itself, and may therefore
>            provide a line of defense against certain types of worms or malicious code.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.1.2.a" selected="false" weight="10.0">
>                <xccdf:title>Add nodev Option to Removable Media Partitions</xccdf:title>
>                <xccdf:description>The nodev option should be disabled for all removable media.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3522-0</xccdf:ident>
>                <xccdf:fixtext>Edit the file /etc/fstab. Filesystems which represent removable media can be
>              located by finding lines whose mount points contain strings like floppy or cdrom, or
>              whose types are iso9660, vfat, or msdos. For each line representing a removable media
>              mountpoint, add the text ',nodev' to the list of mount options in column 4.</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20017"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.1.2.b" selected="false" weight="10.0">
>                <xccdf:title>Add noexec Option to Removable Media Partitions</xccdf:title>
>                <xccdf:description>The noexec option should be disabled for all removable media.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4275-4</xccdf:ident>
>                <xccdf:fixtext>Edit the file /etc/fstab. Filesystems which represent removable media can be
>              located by finding lines whose mount points contain strings like floppy or cdrom, or
>              whose types are iso9660, vfat, or msdos. For each line representing a removable media
>              mountpoint, add the text ',noexec' to the list of mount options in column 4.</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20018"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.1.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Add nosuid Option to Removable Media Partitions</xccdf:title>
>                <xccdf:description>The nosuid option should be disabled for all removable media.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4042-8</xccdf:ident>
>                <xccdf:fixtext>Edit the file /etc/fstab. Filesystems which represent removable media can be
>              located by finding lines whose mount points contain strings like floppy or cdrom, or
>              whose types are iso9660, vfat, or msdos. For each line representing a removable media
>              mountpoint, add the text ',nosuid' to the list of mount options in column 4.</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20019"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2">
>            <xccdf:title xml:lang="en">Restrict Dynamic Mounting and Unmounting of Filesystems</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Linux includes a number of facilities for the automated addition
>          and removal of filesystems on a running system. These facilities may increase convenience,
>          but they all bring some risk, whether direct risk from allowing unprivileged users to
>          introduce arbitrary filesystems to a machine, or risk that software flaws in the automated
>          mount facility itself will allow an attacker to compromise the
>          system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Use caution when enabling any such facility, and find out
>          whether better configuration management or user education might solve the same problem
>          with less risk.
>        </xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.1">
>              <xccdf:title xml:lang="en">Disable USB Device Support</xccdf:title>
>              <xccdf:description xml:lang="en">USB flash or hard drives allow an attacker with physical access to a system to quickly copy an enormous amount of data from it.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.1.1">
>                <xccdf:title xml:lang="en">Disable Modprobe Loading of USB Storage Driver</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If USB storage devices should not be used, the modprobe
>              program used for automatic kernel module loading should be configured to not load the
>              USB storage driver upon demand. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This will prevent the modprobe program from loading the usb-storage module, but will 
>              not prevent an administrator (or another program) from using the insmod program to 
>              load the module manually.
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.1.1.a" selected="false" weight="10.0">
>                  <xccdf:title>Disable Modprobe Loading of USB Storage Driver</xccdf:title>
>                  <xccdf:description>The USB device support module should not be loaded</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4187-1</xccdf:ident>
>                  <xccdf:fix>echo -e "\nblacklist usb_storage" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20021"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.1.2">
>                <xccdf:title xml:lang="en">Remove USB Storage Driver</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If your system never requires the use of USB storage devices,
>              then the supporting driver can be removed. Though more effective (as USB storage
>              certainly cannot be used if the driver is not available at all), this is less elegant
>              than the method described in Section 2.2.2.1.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note that this guidance will not prevent USB storage devices from being mounted if a 
>              custom kernel (i.e., not the one supplied with the system) with built-in USB support 
>              is used.
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.1.2.a" selected="false" weight="10.0">
>                  <xccdf:title>Remove USB Storage Driver</xccdf:title>
>                  <xccdf:description>
>                The USB device support module should not be installed.  The command in 
>                the FIX will need to be repeated every time the kernel is updated. This command 
>                will also cause the command rpm -q --verify kernel to fail, which may be an 
>                undesirable side effect.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4006-3</xccdf:ident>
>                  <xccdf:fix>rm /lib/modules/2.6.*/kernel/drivers/usb/storage/usb-storage.ko</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20022"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.1.3">
>                <xccdf:title xml:lang="en">Disable Kernel Support for USB via Bootloader Configuration</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Another means of disabling USB storage is to disable all USB
>              support provided by the operating system. This can be accomplished by adding the
>              'nousb' argument to the kernel's boot loader configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              NOTE
>              - Disabling all kernel support for USB will cause problems for systems with USB-based
>              keyboards, mice, or printers. This guidance is inappropriate for systems which require
>              USB connectivity.
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.1.3.a" selected="false" weight="10.0">
>                  <xccdf:title>Disable Kernel Support for USB via Bootloader Configuration</xccdf:title>
>                  <xccdf:description>USB kernel support should be disabled.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4173-1</xccdf:ident>
>                  <xccdf:fixtext>To disable kernel support for USB, append 'nousb' to the kernel line in
>                /etc/grub.conf as follows: kernel /vmlinuz-version ro vga=ext
>                root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20023"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.1.4">
>                <xccdf:title xml:lang="en">Disable Booting from USB Devices</xccdf:title>
>                <xccdf:description xml:lang="en">
>              An attacker with physical access could try to boot the system
>              from a USB flash drive and then access any data on the system's hard drive,
>              circumventing the normal operating system's access controls. To prevent this,
>              configure the BIOS to disallow booting from USB drives. Also configure the BIOS or
>              firmware password as described in Section 2.3.5.1 to prevent unauthorized
>              configuration changes.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.1.4.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Disable Booting from USB Devices in the BIOS</xccdf:title>
>                  <xccdf:description>The ability to boot from USB devices should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3944-6</xccdf:ident>
>                  <xccdf:fixtext>BIOS settings</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20024"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.2">
>              <xccdf:title xml:lang="en">Disable the Automounter if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If the autofs service is not needed to dynamically mount NFS
>            filesystems or removable media, disable the service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The autofs daemon mounts and unmounts filesystems, such as user home directories shared 
>            via NFS, on demand. In addition, autofs can be used to handle removable media, and the 
>            default configuration provides the cdrom device as /misc/cd. However, this method of 
>            providing access to removable media is not common, so autofs can almost always be 
>            disabled if NFS is not in use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Even if NFS is required, it is almost always
>            possible to configure filesystem mounts statically by editing /etc/fstab rather than
>            relying on the automounter.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable the Automounter if Possible</xccdf:title>
>                <xccdf:description>The autofs service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4072-5</xccdf:ident>
>                <xccdf:fix>chkconfig autofs off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20025"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.3">
>              <xccdf:title xml:lang="en">Disable GNOME Automounting if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The system's default desktop environment, GNOME, runs the
>            program gnome-volume-manager to mount devices and removable media (such as DVDs, CDs and
>            USB flash drives) whenever they are inserted into the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The system's capabilities for automatic mounting should be configured to match whatever 
>            is defined by security policy. Disabling USB storage as described in Section 2.2.2.2.1 
>            will prevent the use of USB storage devices, but this step can also be taken as an 
>            additional layer of prevention and to prevent automatic mounting of CDs and DVDs if
>            required. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Particularly for kiosk-style systems, where users should
>            have extremely limited access to the system, more detailed information can be found in
>            Red Hat Desktop: Deployment Guide. The gconf-editor program, available in an RPM of the
>            same name, can be used to explore other settings available in the GNOME environment.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable GNOME Automounting if Possible</xccdf:title>
>                <xccdf:description>The GNOME automounter (gnome-volume-manager) should be disabled if possible</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4231-7</xccdf:ident>
>                <xccdf:fixtext>Execute the following commands to prevent gnome-volume-manager from automatically
>              mounting devices and media: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
>              # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
>                            --type bool --set /desktop/gnome/volume_manager/automount_media false 
>              <xhtml:br/> <xhtml:br/>
>              # gconftool-2 --direct
>                            --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory
>                            --type bool
>                            --set /desktop/gnome/volume_manager/automount_drives false
>              </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify the changes by executing
>              the following command, which should return a list of settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># gconftool-2 -R /desktop/gnome/volume_manager <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The automount drives and automount media settings should
>              be set to false. Survey the list for any other options that should be adjusted.</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20026"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.2.4">
>              <xccdf:title xml:lang="en">Disable Mounting of Uncommon Filesystem Types</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Specifying kernel module in /etc/modprobe.d/blacklist.conf will prevent
>            kernel module loading system from inserting the modele into the kernel. 
>            This mechanism effectively prevents usage of these uncommon ï¬lesystems.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.a" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of cramfs</xccdf:title>
>                <xccdf:description>cramfs is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist cramfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20027"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.b" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of freevxfs</xccdf:title>
>                <xccdf:description>freevxfs is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist freevxfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20028"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.c" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of jffs2</xccdf:title>
>                <xccdf:description>jffs2 is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist jffs2" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20029"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.d" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of hfs</xccdf:title>
>                <xccdf:description>hfs is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist hfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20030"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.e" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of hfsplus</xccdf:title>
>                <xccdf:description>hfsplus is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist hfsplus" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20031"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.f" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of squashfs</xccdf:title>
>                <xccdf:description>squashfs is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist squashfs" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20032"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.2.4.g" selected="false" weight="10.0">
>                <xccdf:title>Disable Mounting of udf</xccdf:title>
>                <xccdf:description>udf is uncommon ï¬lesystems</xccdf:description>
>                <xccdf:fix>echo "blacklist udf" &gt;&gt; /etc/modprobe.d/blacklist.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20033"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3">
>            <xccdf:title xml:lang="en">Verify Permissions on Important Files and Directories</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Permissions for many files on a system should be set to conform
>          to system policy. This section discusses important permission restrictions which
>          should be checked on a regular basis to ensure that no harmful discrepancies have arisen.
>        </xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.1">
>              <xccdf:title xml:lang="en">Verify Permissions on passwd, shadow, group and gshadow Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            These are the default permissions for these files. Many
>            utilities need read access to the passwd file in order to function properly, but read
>            access to the shadow file allows malicious attacks against system passwords, and should
>            never be enabled.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.2.3.1.i" operator="equals" type="string">
>                <xccdf:title>Permissions for shadow</xccdf:title>
>                <xccdf:description>File permissions for /etc/shadow</xccdf:description>
>                <xccdf:question xml:lang="en">Select permissions for /etc/shadow</xccdf:question>
>                <xccdf:value>000000000</xccdf:value>
>                <xccdf:value selector="000">000000000</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="644">110100100</xccdf:value>
>                <xccdf:match>^[10]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.2.3.1.j" operator="equals" type="string">
>                <xccdf:title>Permissions for group</xccdf:title>
>                <xccdf:description>File permissions for /etc/group</xccdf:description>
>                <xccdf:question xml:lang="en">Select permissions for /etc/group</xccdf:question>
>                <xccdf:value>110100100</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="644">110100100</xccdf:value>
>                <xccdf:value selector="700">111000000</xccdf:value>
>                <xccdf:match>^[10]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.2.3.1.k" operator="equals" type="string">
>                <xccdf:title>Permissions for gshadow</xccdf:title>
>                <xccdf:description>File permissions for /etc/gshadow</xccdf:description>
>                <xccdf:question xml:lang="en">Select permissions for /etc/gshadow</xccdf:question>
>                <xccdf:value>000000000</xccdf:value>
>                <xccdf:value selector="000">000000000</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="644">110100100</xccdf:value>
>                <xccdf:match>^[10]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.2.3.1.l" operator="equals" type="string">
>                <xccdf:title>Permissions for passwd</xccdf:title>
>                <xccdf:description>File permissions for /etc/password</xccdf:description>
>                <xccdf:question xml:lang="en">Select permissions for /etc/password</xccdf:question>
>                <xccdf:value>110100100</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="644">110100100</xccdf:value>
>                <xccdf:value selector="700">111000000</xccdf:value>
>                <xccdf:match>^[10]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify user who owns 'shadow' file</xccdf:title>
>                <xccdf:description>The /etc/shadow file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3918-0</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20034"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify group who owns 'shadow' file</xccdf:title>
>                <xccdf:description>The /etc/shadow file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3988-3</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20035"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify user who owns 'group' file</xccdf:title>
>                <xccdf:description>The /etc/group file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3276-3</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20036"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.d" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify group who owns 'group' file</xccdf:title>
>                <xccdf:description>The /etc/group file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3883-6</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20037"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.e" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify user who owns 'gshadow' file</xccdf:title>
>                <xccdf:description>The /etc/gshadow file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4210-1</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20038"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.f" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify group who owns 'gshadow' file</xccdf:title>
>                <xccdf:description>The /etc/gshadow file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4064-2</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20039"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.g" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify user who owns 'passwd' file</xccdf:title>
>                <xccdf:description>The /etc/passwd file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3958-6</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20040"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.h" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify group who owns 'passwd' file</xccdf:title>
>                <xccdf:description>The /etc/passwd file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3495-9</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20041"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.i" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify permissions on 'shadow' file</xccdf:title>
>                <xccdf:description>File permissions for /etc/shadow should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4130-1</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20042" value-id="xccdf_cdf_value_var-2.2.3.1.i"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20042"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.j" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify permissions on 'group' file</xccdf:title>
>                <xccdf:description>File permissions for /etc/group should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3967-7</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20043" value-id="xccdf_cdf_value_var-2.2.3.1.j"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20043"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.k" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify permissions on 'gshadow' file</xccdf:title>
>                <xccdf:description>File permissions for /etc/gshadow should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3932-1</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20044" value-id="xccdf_cdf_value_var-2.2.3.1.k"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20044"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.1.l" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify permissions on 'passwd' file</xccdf:title>
>                <xccdf:description>File permissions for /etc/passwd should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3566-7</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20045" value-id="xccdf_cdf_value_var-2.2.3.1.l"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20045"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.2">
>              <xccdf:title xml:lang="en">Verify that All World-Writable Directories Have Sticky Bits Set</xccdf:title>
>              <xccdf:description xml:lang="en">
>            When the so-called 'sticky bit' is set on a directory, only the
>            owner of a given file may remove that file from the directory. Without the sticky bit,
>            any user with write access to a directory may remove any file in the directory. Setting
>            the sticky bit prevents users from removing each other's files. In cases where there is
>            no reason for a directory to be world-writable, a better solution is to remove that
>            permission rather than to set the sticky bit. However, if a directory is used by a
>            particular application, consult that application's documentation instead of blindly
>            changing modes.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Verify that All World-Writable Directories Have Sticky Bits Set</xccdf:title>
>                <xccdf:description>The sticky bit should be set for all world-writable directories.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3399-3</xccdf:ident>
>                <xccdf:fixtext>Locate any directories in local partitions which are world-writable and do not have
>              their sticky bits set. The following command will discover and print these. Run it
>              once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d $ -perm -0002 -a !
>              -perm -1000 $ -print </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>	      If this command produces any output, fix each reported directory
>              /dir using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod +t /dir</xhtml:code></xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20046"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.3">
>              <xccdf:title xml:lang="en">Find Unauthorized World-Writable Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Data in world-writable files can be modified by any user on the
>            system. In almost all circumstances, files can be configured using a combination of user
>            and group permissions to support whatever legitimate access is needed without the risk
>            caused by world-writable files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is generally a good idea to
>            remove global (other) write access to a file when it is discovered. However, check with
>            documentation for specific applications before making changes. Also, monitor for
>            recurring world-writable files, as these may be symptoms of a misconfigured application
>            or user account.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Find Unauthorized World-Writable Files</xccdf:title>
>                <xccdf:description>The world-write permission should be disabled for all files.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3795-2</xccdf:ident>
>                <xccdf:fixtext>The following command discovers and prints any world-writable files in local
>              partitions. Run it once for each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">find PART -xdev -type f -perm -0002 -print | xargs chmod o-w</xhtml:code></xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20047"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.4">
>              <xccdf:title xml:lang="en">Find Unauthorized SUID/SGID System Executables</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The following command discovers and prints any setuid or setgid
>            files on local partitions. Run it once for each local partition : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # for PART in `mount -t ext2,ext3,ext4 | awk '{print $3}'`; 
>            do find $PART  -xdev $ -perm -4000 -o -perm -2000 $ -type f -print; 
>            done </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the file does not require a setuid or
>            setgid bit as discussed below, then these bits can be removed with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"> # chmod -s file </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The following table contains all setuid and setgid files which are expected to
>            be on a stock system. The setuid or setgid bit on these files may be disabled to reduce
>            system risk if only an administrator requires their functionality. The table indicates
>            those files which may not be needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: Several of these files are used for applications which are unlikely to be 
>            relevant to most production environments, such as ISDN networking, SSH hostbased 
>            authentication, or modification of network interfaces by unprivileged users. It is 
>            extremely likely that your site can disable a subset of these files with no loss of 
>            functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Any files found by the above command which are not in the table should be examined. 
>            If the files are not authorized, they should have permissions removed, and further 
>            investigation may be warranted.
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:tr><xhtml:td>File</xhtml:td><xhtml:td>Set-ID</xhtml:td><xhtml:td>Package</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/mount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/ping</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/ping6</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>iputils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/su</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>coreutils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/umount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/fusermount</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>fuse</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/bin/cgexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>libcgroup</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/sbin/mount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/sbin/umount.nfs</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nfs-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/sbin/netreport</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/sbin/pam_timestamp_check</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/sbin/unix_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/at</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>at</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/chage</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/chfn</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/chsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>util-linux-ng</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/crontab</xhtml:td><xhtml:td>uid/gid root</xhtml:td><xhtml:td>cronie</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/gpasswd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/locate</xhtml:td><xhtml:td>gid slocate</xhtml:td><xhtml:td>mlocate</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/lockfile</xhtml:td><xhtml:td>gid mail</xhtml:td><xhtml:td>procmail</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/gnomine</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/iagno</xhtml:td><xhtml:td>gid games</xhtml:td><xhtml:td>gnome-games</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/newgrp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>shadow-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/passwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>passwd</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/pkexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/rcp</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/rlogin</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/rsh</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>rsh</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/staprun</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>systemtap-runtime</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/ssh-agent</xhtml:td><xhtml:td>gid nobody</xhtml:td><xhtml:td>openssh-clients</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/sudo</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/sudoedit</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>sudo</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/wall</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>sysvinit-tools</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/write</xhtml:td><xhtml:td>gid tty</xhtml:td><xhtml:td>util-linux-ng</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/screen</xhtml:td><xhtml:td>gid screen</xhtml:td><xhtml:td>screen</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/jwhois</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/Xorg</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>xorg-x11-server-Xorg</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/bin/ksu</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>krb5-workstation</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/lockdev</xhtml:td><xhtml:td>gid lock</xhtml:td><xhtml:td>lockdev</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/sendmail.sendmail</xhtml:td><xhtml:td>gid smmsp</xhtml:td><xhtml:td>sendmail</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/suexec</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>httpd</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/seunshare</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>policycoreutils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/userhelper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>usermode</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/userisdnctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>isdn4k-utils</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/mtr</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>mtr</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/usernetctl</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>initscripts</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/sbin/ccreds_chkpwd</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pam_ccreds</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/openssh/ssh-keysign</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>ssh</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/kde4/kpac_dhcp_helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>kdelibs</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/polkit-1/polkit-agent-helper-1</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>polkit</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/pt_chown</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>glibc-common</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/pulse/proximity-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>pulseaudio-module-bluetooth</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/news/innbind</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>inn</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/news/rnews</xhtml:td><xhtml:td>uid uucp</xhtml:td><xhtml:td>inn</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/libexec/utempter/utempter</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>libutempter</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/lib/nspluginwrapper/plugin-config</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>nspluginwrapper</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/lib/vte/gnome-pty-helper</xhtml:td><xhtml:td>gid utmp</xhtml:td><xhtml:td>vte</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/usr/share/BackupPC/sbin/BackupPC_Admin</xhtml:td><xhtml:td>uid backuppc</xhtml:td><xhtml:td>BackupPC</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/var/cache/jwhois/jwhois.db</xhtml:td><xhtml:td>gid jwhois</xhtml:td><xhtml:td>jwhois</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>/lib/dbus-1/dbus-daemon-launch-helper</xhtml:td><xhtml:td>uid root</xhtml:td><xhtml:td>dbus</xhtml:td></xhtml:tr></xhtml:table>
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Find Unauthorized SGID System Executables</xccdf:title>
>                <xccdf:description>The sgid bit should not be set for all files.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4178-0</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20048"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.4.b" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Find Unauthorized SUID System Executables</xccdf:title>
>                <xccdf:description>The suid bit should not be set for all files.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3324-1</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20049"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.5">
>              <xccdf:title xml:lang="en">Find and Repair Unowned Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The following command will discover and print any files on
>            local partitions which do not belong to a valid user and a valid group. Run it once for
>            each local partition PART: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev $ -nouser -o -nogroup $ -print </xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If this command prints any results, investigate each reported file and either assign it to an
>            appropriate user and group or remove it. Unowned files are not directly exploitable, but
>            they are generally a sign that something is wrong with some system process. They may be
>            caused by an intruder, by incorrect software installation or incomplete software
>            removal, or by failure to remove all files belonging to a deleted account. The files
>            should be repaired so that they will not cause problems when accounts are created in the
>            future, and the problem which led to unowned files should be discovered and addressed.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.5.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Find files unowned by a user</xccdf:title>
>                <xccdf:description>All files should be owned by a user</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4223-4</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20050"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.5.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Find files unowned by a group</xccdf:title>
>                <xccdf:description>All files should be owned by a group</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3573-3</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20051"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.3.6">
>              <xccdf:title xml:lang="en">Verify that All World-Writable Directories Have Proper Ownership</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Locate any directories in local partitions which are world-writable and 
>            ensure that they are owned by root or another system account. The following command will discover 
>            and print these (assuming only system accounts have a uid lower than 500). Run it once for each 
>            local partition PART:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># find PART -xdev -type d -perm -0002 -uid +500 -print<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If this command produces any output, investigate why the current owner is not root or another 
>            system account.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Allowing a user account to own a world-writeable directory is undesirable because it allows the 
>            owner of that directory to remove or replace any ï¬les that may be placed in the directory by 
>            other users.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.3.6.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Find world writable directories not owned by a system account</xccdf:title>
>                <xccdf:description>All world writable directories should be owned by a system user</xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20052"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4">
>            <xccdf:title xml:lang="en">Restrict Programs from Dangerous Execution Patterns</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The recommendations in this section provide broad protection
>          against information disclosure or other misbehavior. These protections are applied at the
>          system initialization or kernel level, and defend against certain types of
>          badly-configured or compromised programs.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.1">
>              <xccdf:title xml:lang="en">Set Daemon umask</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The system umask for scripts in /etc/init.d must be set to at least 022, or daemon 
>            processes may create world-writable files. The more restrictive setting
>            027 protects files, including temporary files and log files, from unauthorized reading
>            by unprivileged users on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If a particular daemon needs a
>            less restrictive umask, consider editing the startup script or sysconfig file of that
>            daemon to make a specific exception.
>          </xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.2.4.1.a" operator="equals" type="string">
>                <xccdf:title>daemon umask</xccdf:title>
>                <xccdf:description>Enter umask for daemons</xccdf:description>
>                <xccdf:question xml:lang="en">Enter umask which will be used for new files created by daemons</xccdf:question>
>                <xccdf:value>022</xccdf:value>
>                <xccdf:value selector="022">022</xccdf:value>
>                <xccdf:value selector="027">027</xccdf:value>
>                <xccdf:match>^0?[0-7][0-7][0-7]?$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set Daemon umask</xccdf:title>
>                <xccdf:description>The daemon umask should be set to profile value</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4220-0</xccdf:ident>
>                <xccdf:fixtext>Edit the file /etc/rc.d/init.d/functions, and add or correct the following line: umask
>              <xccdf:sub idref="xccdf_cdf_value_var-2.2.4.1.a"/></xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20053" value-id="xccdf_cdf_value_var-2.2.4.1.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20053"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.2">
>              <xccdf:title xml:lang="en">Disable Core Dumps</xccdf:title>
>              <xccdf:description xml:lang="en">
>            A core dump file is the memory image of an executable program
>            when it was terminated by the operating system due to errant behavior. In most cases,
>            only software developers would legitimately need to access these files. The core dump
>            files may also contain sensitive information, or unnecessarily occupy large amounts of
>            disk space. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, the system sets a soft limit to stop the
>            creation of core dump files for all users. This is accomplished in /etc/profile with the
>            line: ulimit -S -c 0 &gt; /dev/null 2&gt;&amp;1 However, compliance with this
>            limit is voluntary; it is a default intended only to protect users from the annoyance of
>            generating unwanted core files. Users can increase the allowed core file size up to the
>            hard limit, which is unlimited by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Once a hard limit is set
>            in /etc/security/limits.conf, the user cannot increase that limit within his own
>            session. If access to core dumps is required, consider restricting them to only certain
>            users or groups. See the limits.conf man page for more
>            information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The core dumps of setuid programs are further
>            protected. The sysctl variable fs.suid_dumpable controls whether the kernel allows core
>            dumps from these programs at all. The default value of 0 is recommended.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable Core Dumps for all users</xccdf:title>
>                <xccdf:description>Core dumps for all users should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4225-9</xccdf:ident>
>                <xccdf:fixtext>To disable core dumps for all users, add or correct the following line in
>              /etc/security/limits.conf: * hard core 0</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20055"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.2.b" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable Core Dumps for SUID programs</xccdf:title>
>                <xccdf:description>Core dumps for setuid programs should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4247-3</xccdf:ident>
>                <xccdf:fixtext>To ensure that core dumps can never be made by setuid programs, edit
>              /etc/sysctl.conf and add or correct the line: fs.suid_dumpable = 0</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20056"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.3">
>              <xccdf:title xml:lang="en">Enable ExecShield</xccdf:title>
>              <xccdf:description xml:lang="en">
>            ExecShield comprises a number of kernel features to provide
>            protection against buffer overflows. These features include random placement of the
>            stack and other memory regions, prevention of execution in memory that should only hold
>            data, and special handling of text buffers. This protection is enabled by default, but
>            the sysctl variables kernel.exec-shield and kernel.randomize va space should be checked
>            to ensure that it has not been disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ExecShield uses the
>            segmentation feature on all x86 systems to prevent execution in memory higher than a
>            certain address. It writes an address as a limit in the code segment descriptor, to
>            control where code can be executed, on a per-process basis. When the kernel places a
>            process's memory regions such as the stack and heap higher than this address, the
>            hardware prevents execution there. However, this cannot always be done for all memory
>            regions in which execution should not occur, so follow guidance in Section 2.2.4.4 to
>            further protect the system.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.3.a" selected="false" weight="10.0">
>                <xccdf:title>Enable ExecShield</xccdf:title>
>                <xccdf:description>ExecShield should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4168-1</xccdf:ident>
>                <xccdf:fixtext>To ensure ExecShield (including random placement of virtual memory regions) is
>              activated at boot, add or correct the following settings in /etc/sysctl.conf:
>              kernel.exec-shield = 1</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20057"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.3.b" selected="false" weight="10.0">
>                <xccdf:title>Enable ExecShield randomized placement of virtual memory regions</xccdf:title>
>                <xccdf:description>ExecShield randomized placement of virtual memory regions should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4146-7</xccdf:ident>
>                <xccdf:fixtext>To ensure ExecShield (including random placement of virtual memory regions) is
>              activated at boot, add or correct the following settings in /etc/sysctl.conf:
>              kernel.randomize_va_space = 2</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20058"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.4">
>              <xccdf:title xml:lang="en">Enable Execute Disable (XD) or No Execute (NX) Support on x86 Systems</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Recent processors in the x86 family support the ability to
>            prevent code execution on a per memory page basis. Generically and on AMD processors,
>            this ability is called No Execute (NX), while on Intel processors it is called Execute
>            Disable (XD). This ability can help prevent exploitation of buffer overflow
>            vulnerabilities and should be activated whenever possible. Extra steps must be taken to
>            ensure that this protection is enabled, particularly on 32-bit x86 systems. Other
>            processors, such as Itanium and POWER, have included such support since inception and
>            the standard kernel for those platforms supports the feature.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.4.1">
>                <xccdf:title xml:lang="en">Check for Processor Support on x86 Systems</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Check to see if the processor supports the PAE and NX
>              features: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ cat /proc/cpuinfo</xhtml:code> If supported, the flags field will contain pae and nx.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.2.4.4.2">
>                <xccdf:title xml:lang="en">Enable NX or XD Support in the BIOS</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Computers with the ability to prevent this type of code
>              execution frequently put an option in the BIOS that will allow users to turn the
>              feature on or off at will. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              See Section 2.3.5.1 for information on protecting this and
>              other BIOS settings.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.2.4.4.2.a" selected="false" weight="10.0">
>                  <xccdf:title>Enable NX or XD Support in the BIOS</xccdf:title>
>                  <xccdf:description>The XD/NX processor feature should be enabled in the BIOS</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4177-2</xccdf:ident>
>                  <xccdf:fixtext>Reboot the system and enter the BIOS or 'Setup' configuration menu. Navigate the
>                BIOS configuration menu and make sure that the option is enabled. The setting may be
>                located under a 'Security' section. Look for Execute Disable (XD) on Intel-based
>                systems and No Execute (NX) on AMD-based systems.</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20060"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3">
>          <xccdf:title xml:lang="en">Account and Access Control</xccdf:title>
>          <xccdf:description xml:lang="en">
>        In traditional Unix security, if an attacker gains shell access to
>        a certain login account, he can perform any action or access any file to which that account
>        has access. Therefore, making it more difficult for unauthorized people to gain shell access
>        to accounts, particularly to privileged accounts, is a necessary part of securing a system.
>        This section introduces mechanisms for restricting access to login accounts.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1">
>            <xccdf:title xml:lang="en">Protect Accounts by Restricting Password-Based Login</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Conventionally, Unix shell accounts are accessed by providing a
>          username and password to a login program, which tests these values for correctness using
>          the /etc/passwd and /etc/shadow files. Password-based login is vulnerable to guessing of
>          weak passwords, and to sniffing and man-in-the-middle attacks against passwords entered
>          over a network or at an insecure console. Therefore, mechanisms for accessing accounts by
>          entering usernames and passwords should be restricted to those which are operationally
>          necessary.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.1">
>              <xccdf:title xml:lang="en">Restrict Root Logins to System Console</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/securetty. Ensure that the file contains
>            only the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The primary system console device: <xhtml:br/>console</xhtml:li><xhtml:li>The virtual console devices: <xhtml:br/>tty1 tty2 tty3 tty4 tty5 
>                tty6 ... </xhtml:li><xhtml:li>If required by your organization, the deprecated virtual console interface 
>                may be retained for backwards compatibility:<xhtml:br/>vc/1 vc/2 vc/3 vc/4 vc/5 
>                vc/6 ...</xhtml:li><xhtml:li>If required by your organization, the serial consoles may be added:<xhtml:br/> 
>                ttyS0 ttyS1</xhtml:li></xhtml:ul>
>            Direct root logins should be allowed only for
>            emergency use. In normal situations, the administrator should access the system via a
>            unique unprivileged account, and use su or sudo to execute privileged commands.
>            Discouraging administrators from accessing the root account directly ensures an audit
>            trail in organizations with multiple administrators. Locking down the channels through
>            which root can connect directly reduces opportunities for password-guessing against the
>            root account. The login program uses the file /etc/securetty to determine which
>            interfaces should allow root logins. The virtual devices /dev/console and /dev/tty*
>            represent the system consoles (accessible via the Ctrl-Alt-F1 through Ctrl-Alt-F6
>            keyboard sequences on a default installation). The default securetty file also contains
>            /dev/vc/*. These are likely to be deprecated in most environments, but may be retained
>            for compatibility. Root should also be prohibited from connecting via network protocols.
>            See Section 3.5 for instructions on preventing root from logging in via SSH.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Restrict Root Logins to System Console</xccdf:title>
>                <xccdf:description>Logins through the specified virtual console interface should be disabled
>            </xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3820-8</xccdf:ident>
>                <xccdf:fixtext>Edit /etc/securetty</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20061"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.1.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Restrict Root Logins to System Console</xccdf:title>
>                <xccdf:description>Logins through the specified virtual console device should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3485-0</xccdf:ident>
>                <xccdf:fixtext> Edit /etc/securetty</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20062"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.1.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Restrict virtual console Root Logins</xccdf:title>
>                <xccdf:description>Logins through the virtual console devices should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4111-1</xccdf:ident>
>                <xccdf:fixtext> Edit /etc/securetty</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20063"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.1.d" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Restrict serial port Root Logins</xccdf:title>
>                <xccdf:description>Login prompts on serial ports should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4256-4</xccdf:ident>
>                <xccdf:fixtext>Edit /etc/securetty</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20064"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.2">
>              <xccdf:title xml:lang="en">Limit su Access to the Root Account</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The su command allows a user to gain the privileges of another user by entering the 
>            password for that user's account. It is desirable to restrict the root user so that only 
>            known administrators are ever allowed to access the root account. This restricts 
>            password-guessing against the root account by unauthorized users or by accounts which 
>            have been compromised. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By convention, the group wheel contains all users who are allowed to run privileged 
>            commands. The PAM module pam_wheel.so is used to restrict root access to this set of 
>            users.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Limit su Access to the Root Account</xccdf:title>
>                <xccdf:description>The wheel group should exist</xccdf:description>
>                <xccdf:fixtext> Ensure that the group wheel exists, and that the usernames of all administrators 
>              who should be allowed to execute commands as root are members of that group.
>            </xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20065"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.2.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Limit su Access to the wheel group</xccdf:title>
>                <xccdf:description>Command access to the root account should be restricted to the wheel group.</xccdf:description>
>                <xccdf:fixtext> Edit the file /etc/pam.d/su. Add, uncomment, or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">auth required pam_wheel.so use_uid</xhtml:code>
>            </xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20066"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.3">
>              <xccdf:title xml:lang="en">Configure sudo to Improve Auditing of Root Access</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Ensure that the group wheel exists, and that the usernames
>            of all administrators who should be allowed to execute commands as root are members of
>            that group. <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># grep ^wheel /etc/group</xhtml:code></xhtml:li><xhtml:li>Edit the file /etc/sudoers. Add, uncomment, or
>              correct the line: <xhtml:br/>
>              <xhtml:br/>
>              %wheel ALL=(ALL) ALL</xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The sudo command allows fine-grained control over
>            which users can execute commands using other accounts. The primary benefit of sudo when
>            configured as above is that it provides an audit trail of every command run by a
>            privileged user. It is possible for a malicious administrator to circumvent this
>            restriction, but, if there is an established procedure that all root commands are run
>            using sudo, then it is easy for an auditor to detect unusual behavior when this
>            procedure is not followed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Editing /etc/sudoers by hand can be dangerous, since a configuration error may make it 
>            impossible to access the root account remotely. The recommended means of editing this 
>            file is using the visudo command, which checks the file's syntax for correctness before 
>            allowing it to be saved.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note that sudo allows any attacker who gains access to the password of an administrator 
>            account to run commands as root. This is a downside which must be weighed against the 
>            benefits of increased audit capability and of being able to heavily restrict the use of 
>            the high-value root password (which can be logistically difficult to change often). As 
>            a basic precaution, never use the NOPASSWD directive, which would allow anyone with 
>            access to an administrator account to execute commands as root without knowing the 
>            administrator's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The sudo command has many options which can be used to further customize its behavior. 
>            See the sudoers(5) man page for details.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Configure sudo to Improve Auditing of Root Access</xccdf:title>
>                <xccdf:description>Sudo privileges should granted to the wheel group</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4044-4</xccdf:ident>
>                <xccdf:fix>echo "%wheel ALL=(ALL) ALL" &gt;&gt; /etc/sudoers</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20067"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.4">
>              <xccdf:title xml:lang="en">Block Shell and Login Access for Non-Root System Accounts</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Using /etc/passwd, obtain a listing of all users, their UIDs, 
>            and their shells, for instance by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Identify the system accounts from this listing.  These will primarily be the accounts 
>            with UID numbers less than 500, other than root.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For each identified system account SYSACCT , lock the account: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -L SYSACCT <xhtml:br/></xhtml:code> <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and disable its shell: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># usermod -s /sbin/nologin SYSACCT <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These are the accounts which are
>            not associated with a human user of the system, but which exist to perform some
>            administrative function. Make it more difficult for an attacker to use these accounts by
>            locking their passwords and by setting their shells to some non-valid shell. The Fedora
>            default non-valid shell is /sbin/nologin, but any command which will exit with a failure
>            status and disallow execution of any further commands, such as /bin/false or /dev/null,
>            will work.</xccdf:description>
>              <xccdf:warning category="functionality" xml:lang="en">Do not perform the steps in this section on the root account.
>            Doing so might cause the system to become inaccessible.</xccdf:warning>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Block Shell and Login Access for Non-Root System Accounts</xccdf:title>
>                <xccdf:description>Login access to non-root system accounts should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3987-5</xccdf:ident>
>                <xccdf:fixtext>Edit /etc/passwd</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20068"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.5">
>              <xccdf:title xml:lang="en">Verify Proper Storage and Existence of Password Hashes</xccdf:title>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.5.1">
>                <xccdf:title xml:lang="en">Verify that No Accounts Have Empty Password Fields</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 == "") {print}' /etc/shadow <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If this produces any output, fix the problem by locking each account 
>              (see Section 2.3.1.4 above) or by setting a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If an account has an empty password, anybody may log in and run commands with the 
>              privileges of that account. Accounts with empty passwords should never be used in 
>              operational environments.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.5.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Verify that No Accounts Have Empty Password Fields</xccdf:title>
>                  <xccdf:description>Login access to accounts without passwords should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4238-2</xccdf:ident>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20069"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.5.2">
>                <xccdf:title xml:lang="en">Verify that All Account Password Hashes are Shadowed</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To ensure that no password hashes are stored in /etc/passwd, the following command should have no output:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($2 != "x") {print}' /etc/passwd<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The hashes for all user account passwords should be stored in the ï¬le /etc/shadow and never in /etc/passwd,
>              which is readable by all users.
>             </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.5.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Verify that All Account Password Hashes are Shadowed</xccdf:title>
>                  <xccdf:description>Check that passwords are shadowed</xccdf:description>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200695"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.6">
>              <xccdf:title xml:lang="en">Verify that No Non-Root Accounts Have UID 0</xccdf:title>
>              <xccdf:description xml:lang="en">
>            This command will print all password file entries for accounts
>            with UID 0: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># awk -F: '($3 == "0") {print}' /etc/passwd <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This should print only one line, for the user root. If any other lines appear, ensure 
>            that these additional UID-0 accounts are authorized, and that there is a good reason for 
>            them to exist. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In general, the best practice solution for auditing use of the root account is to restrict 
>            the set of cases in which root must be accessed anonymously by requiring use of su or sudo 
>            in almost all cases. Some sites choose to have more than one account with UID 0 in order 
>            to differentiate between administrators, but this practice may have unexpected side
>            effects, and is therefore not recommended.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.6.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Verify that No Non-Root Accounts Have UID 0</xccdf:title>
>                <xccdf:description>Anonymous root logins should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4009-7</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20070"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.7">
>              <xccdf:title xml:lang="en">Set Password Expiration Parameters</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/login.defs to specify password expiration
>            settings for new accounts. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">
>            PASS_MAX_DAYS=180<xhtml:br/>
>            PASS_MIN_DAYS=7 <xhtml:br/>
>            PASS_MIN_LEN=8 <xhtml:br/>
>            PASS_WARN_AGE=7 <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For each existing human user USER , modify the current expiration settings to match 
>            these: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chage -M 180 -m 7 -W 7 USER<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Users should be forced to change their passwords, in order to decrease the utility of
>            compromised passwords. However, the need to change passwords often should be balanced
>            against the risk that users will reuse or write down passwords if forced to change them
>            too often. Forcing password changes every 90-360 days, depending on the environment, is
>            recommended. Set the appropriate value as PASS_MAX_DAYS and apply it to existing
>            accounts with the -M flag. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The PASS_MIN_DAYS (-m) setting prevents password changes for 7 days after the first 
>            change, to discourage password cycling. If you use this setting, train users to contact 
>            an administrator for an emergency password change in case a new password becomes 
>            compromised. The PASS_WARN_AGE (-W) setting gives users 7 days of warnings at login time 
>            that their passwords are about to expire.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The PASS_MIN_LEN setting, which controls minimum password length, should be set to 
>            whatever is required by your site or organization security policy. The example value of 
>            8 provided here may be inadequate for many environments. See Section 2.3.3 for 
>            information on how to enforce more sophisticated requirements on password length and 
>            quality
>          </xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.1.7.a" operator="equals" type="string">
>                <xccdf:title xml:lang="en">minimum password length</xccdf:title>
>                <xccdf:description xml:lang="en">Minimum number of characters in password</xccdf:description>
>                <xccdf:warning>This will only check new passwords</xccdf:warning>
>                <xccdf:question xml:lang="en">Select minimum number of characters in password</xccdf:question>
>                <xccdf:value>14</xccdf:value>
>                <xccdf:value selector="5">5</xccdf:value>
>                <xccdf:value selector="6">6</xccdf:value>
>                
>                <xccdf:value selector="8">8</xccdf:value>
>                <xccdf:value selector="10">10</xccdf:value>
>                <xccdf:value selector="14">14</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.1.7.b" operator="equals" type="string">
>                <xccdf:title>minimum password age</xccdf:title>
>                <xccdf:description xml:lang="en">Enter minimum duration before allowing a password change</xccdf:description>
>                <xccdf:question xml:lang="en">Select minimum duration (in days) before allowing a password change</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="1_day">1</xccdf:value>
>                <xccdf:value selector="7_days">7</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.1.7.c" operator="equals" type="string">
>                <xccdf:title>maximum password age</xccdf:title>
>                <xccdf:description xml:lang="en">Enter age before which a password must be changed</xccdf:description>
>                <xccdf:question xml:lang="en">Select age (in days) before which a password must be changed</xccdf:question>
>                <xccdf:value>60</xccdf:value>
>                <xccdf:value selector="0_days">0</xccdf:value>
>                <xccdf:value selector="30_days">30</xccdf:value>
>                <xccdf:value selector="60_days">60</xccdf:value>
>                <xccdf:value selector="90_days">90</xccdf:value>
>                <xccdf:value selector="120_days">120</xccdf:value>
>                <xccdf:value selector="150_days">150</xccdf:value>
>                <xccdf:value selector="180_days">180</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.1.7.d" operator="equals" type="string">
>                <xccdf:title>password warn age</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The number of days warning given before a password expires. A zero
>              means warning is given only upon the day of expiration, a negative
>              value means no warning is given. If not specified, no warning will
>              be provided.</xccdf:description>
>                <xccdf:question xml:lang="en">Select number of days warning is given before a password expires</xccdf:question>
>                <xccdf:value>14</xccdf:value>
>                <xccdf:value selector="7_days">7</xccdf:value>
>                <xccdf:value selector="8_days">8</xccdf:value>
>                <xccdf:value selector="14_days">14</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.7.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set password minimum length</xccdf:title>
>                <xccdf:description xml:lang="en">The password minimum length should be set to: 
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.1.7.a"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4154-1</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20071" value-id="xccdf_cdf_value_var-2.3.1.7.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20071"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.7.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set minimum password age</xccdf:title>
>                <xccdf:description>The minimum password age should be set to:
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.1.7.b"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4180-6</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20072" value-id="xccdf_cdf_value_var-2.3.1.7.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20072"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.7.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set maximum password age</xccdf:title>
>                <xccdf:description>The maximum password age should be set to:
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.1.7.c"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4092-3</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20073" value-id="xccdf_cdf_value_var-2.3.1.7.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20073"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.7.d" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set password warn age</xccdf:title>
>                <xccdf:description>The password warn age should be set to:
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.1.7.d"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4097-2</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20074" value-id="xccdf_cdf_value_var-2.3.1.7.d"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20074"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.1.8">
>              <xccdf:title xml:lang="en">Remove Legacy + Entries from Password Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep "^+:" /etc/passwd /etc/shadow /etc/group<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            should produce no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The + symbol was used by systems to include data from NIS maps
>            into existing files. However, a certain configuration error in which a NIS inclusion
>            line appears in /etc/passwd, but NIS is not running, could lead to anyone being able to
>            access the system with the username + and no password. Therefore, it is important to
>            verify that no such line appears in any of the relevant system files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The correct way to
>            tell the local system to consult network databases such as LDAP or NIS for user
>            information is to make appropriate modifications to /etc/nsswitch.conf.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.8.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Remove Legacy + Entries from /etc/shadow</xccdf:title>
>                <xccdf:description>NIS file inclusions should be set appropriately in the /etc/shadow file</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/shadow</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20075"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.8.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Remove Legacy + Entries from /etc/group</xccdf:title>
>                <xccdf:description>NIS file inclusions should be set appropriately in the /etc/group file</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/group</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20076"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.1.8.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Remove Legacy + Entries from /etc/passwd</xccdf:title>
>                <xccdf:description>NIS file inclusions should be set appropriately in the /etc/passwd file</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4114-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/passwd</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20077"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.2">
>            <xccdf:title xml:lang="en">Use Unix Groups to Enhance Security</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The access control policies which can be enforced by standard
>          Unix permissions are limited, and configuring SELinux (Section 2.4) is frequently a better
>          choice. However, this guide recommends that security be enhanced to the extent possible by
>          enforcing the Unix group policies outlined in this section.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.2.1" weight="1.0">
>              <xccdf:title xml:lang="en">Create a Unique Default Group for Each User</xccdf:title>
>              <xccdf:description xml:lang="en">
>            When running useradd, do not use the -g flag or otherwise
>            override the default group. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Red Hat default is that each new user account should
>            have a unique primary group whose name is the same as that of the account. This default
>            is recommended, in order to provide additional protection against files which are
>            created with group write permission enabled.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.2.2">
>              <xccdf:title xml:lang="en">Create and Maintain a Group Containing All Human Users</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Identify all user accounts on the system which correspond to
>            human users. Depending on your system configuration, this may be all entries in
>            /etc/passwd with UID values of at least 500. Once, you have identified such a set of
>            users, create a group named usergroup (substitute some name appropriate to your
>            environment) and populate it with each human user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># groupadd usergroup <xhtml:br/>
>            # usermod -G usergroup human1 <xhtml:br/>
>            # usermod -G usergroup human2 ... <xhtml:br/>
>            # usermod -G usergroup humanN <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Then modify your procedure for creating new user accounts by adding -G usergroup to the 
>            set of flags with which useradd is invoked, so that new human users will be placed in 
>            the correct group by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Creating a group of human users does not, by itself, enhance
>            system security. However, as you work on securing your system, you will often find
>            commands which never need to be run by system accounts, or which are only ever needed by
>            users logged into the graphical console (which should only ever be available to human
>            users, even on workstations). Once a group of users has been created, it is easy to
>            restrict access to a given command, for instance /path/to/graphical/command , to
>            authorized users: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /path/to/graphical/command <xhtml:br/>
>            # chmod 750 /path/graphical/command <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Without a group of human users, it is necessary to restrict
>            access by somehow preventing each system account from running the command, which is an
>            error-prone process even when it is possible at all.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3">
>            <xccdf:title xml:lang="en">Protect Accounts by Configuring PAM</xccdf:title>
>            <xccdf:description xml:lang="en">
>          PAM, or Pluggable Authentication Modules, is a system which
>          implements modular authentication for Linux programs. PAM is well-integrated into Linux's
>          authentication architecture, making it difficult to remove, but it can be configured to
>          minimize your system's exposure to unnecessary risk. This section contains guidance on how
>          to accomplish that, and how to ensure that the modules used by your PAM configuration do
>          what they are supposed to do. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          PAM is implemented as a set of shared objects which are
>          loaded and invoked whenever an application wishes to authenticate a user. Typically, the
>          application must be running as root in order to take advantage of PAM. Traditional
>          privileged network listeners (e.g. sshd) or SUID programs (e.g. sudo) already meet this
>          requirement. An SUID root application, userhelper, is provided so that programs which are
>          not SUID or privileged themselves can still take advantage of PAM. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          PAM looks in the
>          directory /etc/pam.d for application-specific configuration information. For instance, if
>          the program login attempts to authenticate a user, then PAM's libraries follow the
>          instructions in the file /etc/ pam.d/login to determine what actions should be taken. 
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>One
>          very important file in /etc/pam.d is /etc/pam.d/system-auth. This file, which is included
>          by many other PAM configuration files, defines 'default' system authentication measures.
>          Modifying this file is a good way to make far-reaching authentication changes, for
>          instance when implementing a centralized authentication service.
>        </xccdf:description>
>            <xccdf:warning xml:lang="en">
>          Be careful when making changes to PAM's configuration files. The syntax for these files 
>          is complex, and modifications can have unexpected consequences.1 The default 
>          configurations shipped with applications should be sufficient for most users.
>        </xccdf:warning>
>            <xccdf:warning xml:lang="en">
>          Running authconfig or system-config-authentication will re-write the PAM configuration 
>          files, destroying any manually made changes and replacing them with a series of system 
>          defaults. 1One reference to the configuration file syntax can be found at
>          http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ sag-configuration-file.html.
>        </xccdf:warning>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.1">
>              <xccdf:title xml:lang="en">Set Password Quality Requirements</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default pam_cracklib PAM module provides strength checking
>            for passwords. It performs a number of checks, such as making sure passwords are not
>            similar to dictionary words, are of at least a certain length, are not the previous
>            password reversed, and are not simply a change of case from the previous password.  It 
>            can also require passwords to be in certain character classes.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The pam_passwdqc PAM module provides the ability to enforce even more stringent 
>            password strength requirements. It is provided in an RPM of the same name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The man pages pam_cracklib(8) and pam_passwdqc(8) provide information on the 
>            capabilities and configuration of each.
>          </xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.1.1">
>                <xccdf:title xml:lang="en">Set Password Quality Requirements, if using pam_cracklib</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The pam_cracklib PAM module can be conï¬gured to meet 
>              recommendations for DoD systems as stated in [12].<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To conï¬gure pam_cracklib to require at least one uppercase character, lowercase 
>              character, digit, and other (special) character, locate the following line in 
>              /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and then alter it to read:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              password required pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 /
>              ucredit=-1 ocredit=-1 lcredit=0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If necessary, modify the arguments to ensure compliance with your organizationâs 
>              security policy.
>            </xccdf:description>
>                <xccdf:warning xml:lang="en">Note that the password quality requirements are not enforced 
>              for the root account for some reason.
>            </xccdf:warning>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.retry">
>                  <xccdf:title xml:lang="en">retry</xccdf:title>
>                  <xccdf:description xml:lang="en">Number of retry attempts before erroring out</xccdf:description>
>                  <xccdf:question xml:lang="en">Select number of password retry attempts before erroring out</xccdf:question>
>                  <xccdf:value>3</xccdf:value>
>                  <xccdf:value selector="1">1</xccdf:value>
>                  <xccdf:value selector="2">2</xccdf:value>
>                  <xccdf:value selector="3">3</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.difok">
>                  <xccdf:title xml:lang="en">difok</xccdf:title>
>                  <xccdf:description xml:lang="en">Mininum number of characters not present in old password</xccdf:description>
>                  <xccdf:warning xml:lang="en">Keep this high for short passwords</xccdf:warning>
>                  <xccdf:question xml:lang="en">Select minimum number of characters not present in old password</xccdf:question>
>                  <xccdf:value>5</xccdf:value>
>                  <xccdf:value selector="2">2</xccdf:value>
>                  <xccdf:value selector="3">3</xccdf:value>
>                  <xccdf:value selector="4">4</xccdf:value>
>                  <xccdf:value selector="5">5</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.minlen">
>                  <xccdf:title xml:lang="en">minlen</xccdf:title>
>                  <xccdf:description xml:lang="en">Minimum number of characters in password</xccdf:description>
>                  <xccdf:question xml:lang="en">Select minimum number of characters in pasword</xccdf:question>
>                  <xccdf:value>14</xccdf:value>
>                  <xccdf:value selector="6">6</xccdf:value>
>                  
>                  <xccdf:value selector="8">8</xccdf:value>
>                  <xccdf:value selector="10">10</xccdf:value>
>                  <xccdf:value selector="14">14</xccdf:value>
>                  <xccdf:value selector="15">15</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.dcredit">
>                  <xccdf:title xml:lang="en">dcredit</xccdf:title>
>                  <xccdf:description xml:lang="en">Mininum number of digits in password</xccdf:description>
>                  <xccdf:question xml:lang="en">Select number of digits in password</xccdf:question>
>                  <xccdf:value>-2</xccdf:value>
>                  <xccdf:value selector="2">-2</xccdf:value>
>                  <xccdf:value selector="1">-1</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:match>^-?[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.ocredit">
>                  <xccdf:title xml:lang="en">ocredit</xccdf:title>
>                  <xccdf:description xml:lang="en">Mininum number of other (special characters) in password</xccdf:description>
>                  <xccdf:question xml:lang="en">Select number of special characters in password</xccdf:question>
>                  <xccdf:value>-2</xccdf:value>
>                  <xccdf:value selector="2">-2</xccdf:value>
>                  <xccdf:value selector="1">-1</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:match>^-?[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.lcredit">
>                  <xccdf:title xml:lang="en">lcredit</xccdf:title>
>                  <xccdf:description xml:lang="en">Mininum number of lower case in password</xccdf:description>
>                  <xccdf:question xml:lang="en">Select minimum number of lower case in password</xccdf:question>
>                  <xccdf:value>-2</xccdf:value>
>                  <xccdf:value selector="2">-2</xccdf:value>
>                  <xccdf:value selector="1">-1</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:match>^-?[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.1.a.ucredit">
>                  <xccdf:title xml:lang="en">ucredit</xccdf:title>
>                  <xccdf:description xml:lang="en">Mininum number of upper case in password</xccdf:description>
>                  <xccdf:question xml:lang="en">Select minimum number of upper case in password</xccdf:question>
>                  <xccdf:value>-2</xccdf:value>
>                  <xccdf:value selector="2">-2</xccdf:value>
>                  <xccdf:value selector="1">-1</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:match>^-?[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.1.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Set Password Quality Requirements</xccdf:title>
>                  <xccdf:description>The password strength should meet minimum requirements</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3762-2</xccdf:ident>
>                  <xccdf:fixtext>(1) via PAM</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200781" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.retry"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200782" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.minlen"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200783" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.dcredit"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200784" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.ucredit"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200785" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.ocredit"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200786" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.lcredit"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200787" value-id="xccdf_cdf_value_var-2.3.3.1.1.a.difok"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20078"/>
>                    
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.1.2">
>                <xccdf:title xml:lang="en">Set Password Quality Requirements, if using pam_passwdqc</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If password strength stronger than that guaranteed by 
>              pam_cracklib is required, conï¬gure PAM to use pam_passwdqc.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To activate pam_passwdqc, locate the following line in /etc/pam.d/system-auth:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              password requisite pam_cracklib.so try_first_pass retry=3<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and then replace it with the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              password requisite pam_passwdqc.so min=disabled,disabled,16,12,8<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If necessary, modify the arguments (min=disabled,disabled,16,12,8) to ensure 
>              compliance with your organizationâs security policy. Conï¬guration options are 
>              described in the man page pam_passwdqc(8) and also in /usr/share/doc/pam_passwdqc-version. 
>	      		  The minimum lengths provided here supercede that speciï¬ed
>              by the argument PASS MIN LEN as described in Section 2.3.1.7.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The options given in the example above set a minimum length for each of the 
>              password âclassesâ that pam_passwdqc recognizes. Setting a particular minimum 
>              value to disabled will stop users from choosing a password that falls into 
>              that category alone.
>            </xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.N0">
>                  
>                  <xccdf:title xml:lang="en">N0</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                N0 is used for passwords consisting of characters 
>                from one character class only. The character classes are: digits, 
>                lower-case letters, upper-case letters, and other characters. There is 
>                also a special class for non-ASCII characters which could not be 
>                classified, but are assumed to be non-digits. </xccdf:description>
>                  <xccdf:value>24</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:value selector="24">24</xccdf:value>
>                  <xccdf:value selector="30">30</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.N1">
>                  
>                  <xccdf:title xml:lang="en">N1</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                N1 is used for passwords consisting of characters 
>                from two character classes which do not meet the requirements for a 
>                passphrase.</xccdf:description>
>                  <xccdf:value>16</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:value selector="18">18</xccdf:value>
>                  <xccdf:value selector="24">24</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.N2">
>                  
>                  <xccdf:title xml:lang="en">N2</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                N2 is used for passphrases. Note that besides 
>                meeting this length requirement, a passphrase must also consist of a 
>                sufficient number of words (see the "passphrase" option below). </xccdf:description>
>                  <xccdf:value>16</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:value selector="16">16</xccdf:value>
>                  <xccdf:value selector="17">17</xccdf:value>
>                  <xccdf:value selector="18">18</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.N3">
>                  
>                  <xccdf:title xml:lang="en">N3</xccdf:title>
>                  <xccdf:description xml:lang="en">N3 is the number of characters required for a password that uses characters from 3 character classes.</xccdf:description>
>                  <xccdf:question xml:lang="en">Select the number of characters required for a password that uses characters from 3 character classes</xccdf:question>
>                  <xccdf:value>16</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:value selector="14">14</xccdf:value>
>                  <xccdf:value selector="15">15</xccdf:value>
>                  <xccdf:value selector="16">16</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.N4">
>                  
>                  <xccdf:title xml:lang="en">N4</xccdf:title>
>                  <xccdf:description xml:lang="en">N4 is the number of characters required for a password that uses characters from 4 character classes.</xccdf:description>
>                  <xccdf:question xml:lang="en">Select the number of characters required for a password that uses characters from 4 character classes</xccdf:question>
>                  <xccdf:value>14</xccdf:value>
>                  <xccdf:value selector="10">10</xccdf:value>
>                  <xccdf:value selector="12">12</xccdf:value>
>                  <xccdf:value selector="14">14</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.passphrase">
>                  
>                  <xccdf:title xml:lang="en">passphrase</xccdf:title>
>                  <xccdf:description xml:lang="en">The number of words required for a passphrase, or 0 to disable the support for user-chosen passphrases. </xccdf:description>
>                  <xccdf:question xml:lang="en">Select the number of words required for a passphrase</xccdf:question>
>                  <xccdf:value>3</xccdf:value>
>                  <xccdf:value selector="disabled">0</xccdf:value>
>                  <xccdf:value selector="3">3</xccdf:value>
>                  <xccdf:value selector="5">5</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.match">
>                  
>                  <xccdf:title xml:lang="en">match</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                The length of common substring required to 
>                conclude that a password is at least partially based on information 
>                found in a character string, or 0 to disable the substring search. 
>                Note that the password will not be rejected once a weak substring is 
>                found; it will instead be subjected to the usual strength requirements 
>                with the weak substring removed.</xccdf:description>
>                  <xccdf:question xml:lang="en">Enter the length of common substring required to conclude that a password is at least partially based on information found in a character string</xccdf:question>
>                  <xccdf:value>5</xccdf:value>
>                  <xccdf:value selector="disable">0</xccdf:value>
>                  <xccdf:value selector="3">3</xccdf:value>
>                  <xccdf:value selector="4">4</xccdf:value>
>                  <xccdf:value selector="5">5</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.3.3.1.2.a.retry">
>                  
>                  <xccdf:title xml:lang="en">retry</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                The number of times the module will ask for a 
>                new password if the user fails to provide a sufficiently strong 
>                password and enter it twice the first time. </xccdf:description>
>                  <xccdf:question xml:lang="en">Enter the number of times the module will ask for a new password if user fail to provide a sufficiently strong password</xccdf:question>
>                  <xccdf:value>3</xccdf:value>
>                  <xccdf:value selector="2">2</xccdf:value>
>                  <xccdf:value selector="3">3</xccdf:value>
>                  <xccdf:value selector="4">4</xccdf:value>
>                  <xccdf:match>^[\d]+$</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.1.2.a" selected="false" weight="10.0">
>                  <xccdf:title>Set Password Quality Requirements using pam_passwdqc</xccdf:title>
>                  <xccdf:description>The password strength should meet minimum requirements</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3762-2</xccdf:ident>
>                  <xccdf:fixtext>(1) via PAM</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200790" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.N0"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200791" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.N1"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200792" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.N2"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200793" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.N3"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200794" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.N4"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200795" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.passphrase"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200796" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.match"/>
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:200797" value-id="xccdf_cdf_value_var-2.3.3.1.2.a.retry"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20079"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.2">
>              <xccdf:title xml:lang="en">Set Lockouts for Failed Password Attempts</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The pam_tally2 PAM module provides the capability to lock out
>            user accounts after a number of failed login attempts. Its documentation is available in
>            /usr/share/doc/pam-version/txts/README.pam_tally2. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If locking out accounts after a number of incorrect login attempts is required by your 
>            security policy, implement use of pam_tally2.so for the relevant PAM-aware programs 
>            such as login, sshd, and vsftpd. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Find the following line in /etc/pam.d/system-auth: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth sufficient pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and then change it so that it reads as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth required pam_unix.so nullok try_first_pass <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In the same file, comment out or delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth requisite pam_succeed_if.so uid &gt;= 500 quiet <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth required pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To enforce password lockout, add the following to the individual programs' 
>            configuration files in /etc/pam.d. First, add to end of the auth lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth required pam_tally2.so deny=5 onerr=fail <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Second, add to the end of the account lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            account required pam_tally2.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Adjust the deny argument to conform to your system security policy. The pam_tally2
>            utility can be used to unlock user accounts as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># /sbin/pam_tally2 --user username --reset <xhtml:br/></xhtml:code>
>          </xccdf:description>
>              <xccdf:warning xml:lang="en">
>            Locking out user accounts presents the risk of a denial-of-service attack. The security 
>            policy regarding system lockout must weigh whether the risk of such a denial-of-service 
>            attack outweighs the benefits of thwarting password guessing attacks. The pam_tally2 
>            utility can be run from a cron job on a hourly or daily basis to try and offset this 
>            risk.
>          </xccdf:warning>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.2.a.deny">
>                
>                <xccdf:title xml:lang="en">deny</xccdf:title>
>                <xccdf:description xml:lang="en">Deny access if tally for this user exceeds n.</xccdf:description>
>                <xccdf:value>3</xccdf:value>
>                <xccdf:value selector="1">1</xccdf:value>
>                <xccdf:value selector="3">3</xccdf:value>
>                <xccdf:value selector="5">5</xccdf:value>
>                <xccdf:value selector="10">10</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.2.a.lock_time">
>                <xccdf:title xml:lang="en">lock_time</xccdf:title>
>                <xccdf:description xml:lang="en">Always deny for n seconds after failed attempt.</xccdf:description>
>                <xccdf:value>5</xccdf:value>
>                <xccdf:value selector="1">1</xccdf:value>
>                <xccdf:value selector="3">3</xccdf:value>
>                <xccdf:value selector="5">5</xccdf:value>
>                <xccdf:value selector="10">10</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.2.a.unlock_time">
>                <xccdf:title xml:lang="en">unlock_time</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Allow access after n seconds after failed attempt. If this 
>              option is used the user will be locked out for the specified amount of time after 
>              he exceeded his maximum allowed attempts. Otherwise the account is locked until the 
>              lock is removed by a manual intervention of the system administrator.</xccdf:description>
>                <xccdf:question xml:lang="en">Select time (in seconds) user will be locked out after he exceeded his maximum allowed attempts</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="none">1</xccdf:value>
>                <xccdf:value selector="15_minutes">900</xccdf:value>
>                <xccdf:value selector="30_minutes">1800</xccdf:value>
>                <xccdf:value selector="1_hour">3600</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set Lockouts for Failed Password Attempts</xccdf:title>
>                <xccdf:description>The "account lockout threshold" policy should meet minimum requirements.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3410-8</xccdf:ident>
>                <xccdf:fixtext>(1) via PAM</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:200801" value-id="xccdf_cdf_value_var-2.3.3.2.a.deny"/>
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:200802" value-id="xccdf_cdf_value_var-2.3.3.2.a.lock_time"/>
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:200803" value-id="xccdf_cdf_value_var-2.3.3.2.a.unlock_time"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20080"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.2.b" selected="false" weight="10.0">
>                <xccdf:title>Do not leak information on authorization failure</xccdf:title>
>                <xccdf:description>Authorization failures should not alert attackers as to what went wrong.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/pam.d/system-auth</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200805"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Do not log authorization failures and successes</xccdf:title>
>                <xccdf:description>Remove pam_succeed_if module with quiet option and remove auth pam_deny line.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/pam.d/system-auth</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200806"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.3">
>              <xccdf:title xml:lang="en">Use pam_deny.so to Quickly Deny Access to a Service</xccdf:title>
>              <xccdf:description xml:lang="en">
>            In order to deny access to a service SVCNAME via PAM, edit the
>            file /etc/pam.d/SVCNAME . Prepend this line to the beginning of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            auth requisite pam_deny.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Under most circumstances, there are better ways to disable a service than to
>            deny access via PAM. However, this should suffice as a way to quickly make a service
>            unavailable to future users (existing sessions which have already been authenticated,
>            are not affected). The requisite tag tells PAM that, if the named module returns
>            failure, authentication should fail, and PAM should immediately stop processing the
>            configuration file. The pam_deny.so module always returns failure regardless of its
>            input.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.4">
>              <xccdf:title xml:lang="en">Restrict Execution of userhelper to Console Users</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If your environment has defined a group, usergroup containing
>            all the human users of your system, restrict execution of the userhelper program to only
>            that group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chgrp usergroup /usr/sbin/userhelper <xhtml:br/>
>            # chmod 4710 /usr/sbin/userhelper <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The userhelper program provides authentication for graphical services which must run 
>            with root privileges, such as the system-config- family of graphical configuration 
>            utilities. Only human users logged into the system console are likely to ever have a 
>            legitimate need to run these utilities. This step provides some protection against 
>            possible flaws in userhelper's implementation, and against further privilege escalation 
>            when system accounts are compromised. See Section 2.3.2.2 for more information on 
>            creating a group of human users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The userhelper program is configured by the files in /etc/security/console.apps/. Each 
>            file specifies, for some program, what user the program should run as, and what program 
>            should be executed after successful authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: The configuration in /etc/security/console.apps/ is applied in
>            combination with the PAM configuration of the service defined in /etc/pam.d/. First,
>            userhelper determines what user the service should run as. (Typically, this will be
>            root.) Next, userhelper uses the PAM API to allow the user who ran the program to
>            attempt to authenticate as the desired user. The PAM API exchange is wrapped in a GUI if
>            the application's configuration requests one.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.4.a" operator="equals" type="string">
>                <xccdf:title>Name of group containing human users</xccdf:title>
>                <xccdf:description xml:lang="en">Enter group to aggregate human users</xccdf:description>
>                <xccdf:value>usergroup</xccdf:value>
>                <xccdf:value selector="usergroup">usergroup</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.4.b" operator="equals" type="string">
>                <xccdf:title>userhelper file permissions</xccdf:title>
>                <xccdf:description xml:lang="en">Enter file permissions for /usr/sbin/userhelper</xccdf:description>
>                <xccdf:question xml:lang="en">Enter file permission for /usr/bin/userhelper</xccdf:question>
>                <xccdf:value>100111001000</xccdf:value>
>                <xccdf:value selector="4710">100111001000</xccdf:value>
>                <xccdf:match>^[10]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.4.a" selected="false" weight="10.0">
>                <xccdf:title>Restrict Execution of userhelper to Console Users</xccdf:title>
>                <xccdf:description>The /usr/sbin/userhelper file should be owned by the appropriate group.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4185-5</xccdf:ident>
>                <xccdf:fix># chgrp usergroup /usr/sbin/userhelper</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20081" value-id="xccdf_cdf_value_var-2.3.3.4.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20081"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.4.b" selected="false" weight="10.0">
>                <xccdf:title>Restrict File permissions of userhelper</xccdf:title>
>                <xccdf:description>File permissions for /usr/sbin/userhelper should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3952-9</xccdf:ident>
>                <xccdf:fix># chmod 4710 /usr/sbin/userhelper</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20082" value-id="xccdf_cdf_value_var-2.3.3.4.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20082"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.5">
>              <xccdf:title xml:lang="en">Password Hashing Algorithm</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default algorithm for storing password hashes should be SHA-512. 
>          </xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.5.a" operator="equals" type="string">
>                <xccdf:title>Password hashing algorithm</xccdf:title>
>                <xccdf:description xml:lang="en">Enter /etc/shadow password hashing algorithm</xccdf:description>
>                <xccdf:question xml:lang="en">Enter /etc/shadow password hashing algorithm</xccdf:question>
>                <xccdf:value>sha512</xccdf:value>
>                <xccdf:value selector="MD5">md5</xccdf:value>
>                <xccdf:value selector="SHA-256">sha256</xccdf:value>
>                <xccdf:value selector="SHA-512">sha512</xccdf:value>
>                <xccdf:choices>
>                  <xccdf:choice>md5</xccdf:choice>
>                  <xccdf:choice>sha256</xccdf:choice>
>                  <xccdf:choice>sha512</xccdf:choice>
>                </xccdf:choices>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.5.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Password hashing algorithm</xccdf:title>
>                <xccdf:description>The password hashing algorithm should be set to SHA-512</xccdf:description>
>                <xccdf:fix>/usr/sbin/authconfig --passalgo=sha512 --update</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20083" value-id="xccdf_cdf_value_var-2.3.3.5.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20083"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.3.6">
>              <xccdf:title xml:lang="en">Limit Password Reuse</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Do not allow users to reuse recent passwords. This can be 
>            accomplished by using the remember option for the pam_unix PAM module. In order to 
>            prevent a user from re-using any of his or her last <xccdf:sub idref="xccdf_cdf_value_var-2.3.3.6.a"/> passwords, 
>            append remember=<xccdf:sub idref="xccdf_cdf_value_var-2.3.3.6.a"/> to the password line which uses the 
>            pam_unix module in the ï¬le /etc/pam.d/system-auth, as shown:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            password sufficient pam_unix.so existing_options remember=<xccdf:sub idref="xccdf_cdf_value_var-2.3.3.6.a"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Old (and thus no longer valid) passwords are stored in the ï¬le /etc/security/opasswd.
>          </xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.3.6.a" operator="equals" type="string">
>                <xccdf:title>remember</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The last n passwords for each user are saved in 
>              /etc/security/opasswd in order to force password change history and keep the user from 
>              alternating between the same password too frequently. </xccdf:description>
>                <xccdf:question xml:lang="en">Enter how many last passwords will be saved to keep the user from alternating between the same password too frequently</xccdf:question>
>                <xccdf:value>5</xccdf:value>
>                <xccdf:value selector="5">5</xccdf:value>
>                <xccdf:value selector="10">10</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.3.6.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Limit password reuse</xccdf:title>
>                <xccdf:description>The passwords to remember should be set to: <xccdf:sub idref="xccdf_cdf_value_var-2.3.3.6.a"/></xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20084" value-id="xccdf_cdf_value_var-2.3.3.6.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20084"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4">
>            <xccdf:title xml:lang="en">Secure Session Configuration Files for Login Accounts</xccdf:title>
>            <xccdf:description xml:lang="en">
>          When a user logs into a Unix account, the system configures the
>          user's session by reading a number of files. Many of these files are located in the user's
>          home directory, and may have weak permissions as a result of user error or
>          misconfiguration. If an attacker can modify or even read certain types of account
>          configuration information, he can often gain full access to the affected user's account.
>          Therefore, it is important to test and correct configuration file permissions for
>          interactive accounts, particularly those of privileged users such as root or system
>          administrators.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4.1">
>              <xccdf:title xml:lang="en">Ensure that No Dangerous Directories Exist in Roots Path '</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The active path of the root account can be obtained by starting
>            a new root shell and running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># echo $PATH <xhtml:br/></xhtml:code>
>            This will produce a colon-separated list of directories in the path. For each directory 
>            DIR in the path, ensure that DIR is not equal to a single . character. Also ensure that 
>            there are no 'empty' elements in the path, such as in these examples: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">PATH=:/bin <xhtml:br/>
>            PATH=/bin: <xhtml:br/>
>            PATH=/bin::/sbin <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These empty elements have the same effect as a single . character. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For each element in the path, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld DIR <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and ensure that write permissions are disabled for group and other. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is important to prevent root from executing unknown or untrusted programs, since such
>            programs could contain malicious code. Therefore, root should not run programs installed
>            by unprivileged users. Since root may often be working inside untrusted directories, the
>            . character, which represents the current directory, should never be in the root path,
>            nor should any directory which can be written to by an unprivileged or semi-privileged
>            (system) user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is a good practice for administrators to always execute privileged
>            commands by typing the full path to the command.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure that No Dangerous Directories Exist in Root's Path</xccdf:title>
>                <xccdf:description>The PATH variable should be set correctly for user root</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3301-9</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20085"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.1.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Write permissions are disabled for group and other in all directories in Root's Path</xccdf:title>
>                <xccdf:description>Check each directory in root's path and make use it does not grant write permission to group and other</xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:200855"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4.2">
>              <xccdf:title xml:lang="en">Ensure that User Home Directories are not Group-Writable or
>            World-Readable</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For each human user USER of the system, view the permissions of the
>            user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Ensure that the directory is not group-writable and that it is not world-readable. If 
>            necessary, repair the permissions:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod g-w /home/USER <xhtml:br/>
>            # chmod o-rwx /home/USER <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            User home directories contain many
>            configuration files which affect the behavior of a user's account. No user should ever
>            have write permission to another user's home directory. Group shared directories can be
>            configured in subdirectories or elsewhere in the filesystem if they are needed.
>            Typically, user home directories should not be world-readable. If a subset of users need
>            read access to one another's home directories, this can be provided using groups.</xccdf:description>
>              <xccdf:warning xml:lang="en">Sections 2.3.4.2â2.3.4.5 recommend modifying user home
>            directories. Notify your user community, and solicit input if appropriate, before making
>            this type of change. </xccdf:warning>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure that User Home Directories are not Group-Writable or World-Readable</xccdf:title>
>                <xccdf:description>File permissions should be set correctly for the home directories for all user accounts.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4090-7</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20086"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4.3">
>              <xccdf:title xml:lang="en">Ensure that User Dot-Files are not World-writable</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For each human user USER of the system, view the permissions of
>            all dot-files in the user's home directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -ld /home/USER /.[A-Za-z0-9]* <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Ensure that none of these files are group- or world-writable. Correct each misconfigured file
>            FILE by executing: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod go-w /home/USER /FILE <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A user who can modify another user's configuration files can likely execute commands 
>            with the other user's privileges, including stealing data, destroying files, or 
>            launching further attacks on the system.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4.4">
>              <xccdf:title xml:lang="en">Ensure that Users Have Sensible Umask Values</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Edit the global configuration files /etc/bashrc and /etc/csh.cshrc. 
>              Add or correct the line: umask <xccdf:sub idref="xccdf_cdf_value_var-2.3.4.4"/></xhtml:li><xhtml:li>View the additional configuration files /etc/csh.login and /etc/profile.d/*, 
>                and ensure that none of these files redefine the umask to a more permissive value 
>                unless there is a good reason for it.</xhtml:li></xhtml:ol>  
>            With a default umask setting of 077, files and directories created by users will not be
>            readable by any other user on the system. Users who wish to make specific files group-
>            or world-readable can accomplish this using the chmod command. Additionally, users can
>            make all their files readable to their group by default by setting a umask of 027 in
>            their shell configuration files. If default per-user groups exist (that is, if every
>            user has a default group whose name is the same as that user's username and whose only
>            member is the user), then it may even be safe for users to select a umask of 007, making
>            it very easy to intentionally share files with group s of which the user is a member. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In addition, it may be necessary to change root's umask temporarily in order to install
>            software or files which must be readable by other users, or to change the default umasks
>            of certain service accounts such as the FTP user. However, setting a restrictive default
>            protects the files of users who have not taken steps to make their files more available,
>            and preventing files from being inadvertently shared.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.4.4" operator="equals" type="string">
>                <xccdf:title>Sensible umask</xccdf:title>
>                <xccdf:description xml:lang="en">Enter default user umask</xccdf:description>
>                <xccdf:question xml:lang="en">Enter default user umask</xccdf:question>
>                <xccdf:value>002</xccdf:value>
>                <xccdf:value selector="002">002</xccdf:value>
>                <xccdf:value selector="007">007</xccdf:value>
>                <xccdf:value selector="022">022</xccdf:value>
>                <xccdf:value selector="027">027</xccdf:value>
>                <xccdf:value selector="077">077</xccdf:value>
>                <xccdf:match>^0?[0-7][0-7][0-7]?$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure that Users Have Sensible Umask Values in /etc/bashrc</xccdf:title>
>                <xccdf:description>The default umask for all users for the bash shell should be set to: 
>                <xccdf:sub idref="xccdf_cdf_value_var-2.3.4.4"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3844-8</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20087" value-id="xccdf_cdf_value_var-2.3.4.4"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20087"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.4.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure that Users Have Sensible Umask Values in /etc/csh.cshrc</xccdf:title>
>                <xccdf:description>The default umask for all users for the csh shell should be set to: 
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.4.4"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4227-5</xccdf:ident>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20087" value-id="xccdf_cdf_value_var-2.3.4.4"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20088"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.4.5">
>              <xccdf:title xml:lang="en">Ensure that Users do not Have .netrc Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For each human user USER of the system, ensure that the user
>            has no .netrc file. The command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -l /home/USER /.netrc <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            should return the error 'No such file or directory'. If any user has such a file, 
>            approach that user to discuss removing this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The .netrc file is a configuration file used to make unattended
>            logins to other systems via FTP. When this file exists, it frequently contains
>            unencrypted passwords which may be used to attack other systems.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.4.5.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title xml:lang="en">Check for existance of .netrc file</xccdf:title>
>                <xccdf:description xml:lang="en">No user directory should contain file .netrc</xccdf:description>
>                <xccdf:fix>rm .netrc</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20091"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5">
>            <xccdf:title xml:lang="en">Protect Physical Console Access</xccdf:title>
>            <xccdf:description xml:lang="en">
>          It is impossible to fully protect a system from an attacker with
>          physical access, so securing the space in which the system is located should be considered
>          a necessary step. However, there are some steps which, if taken, make it more difficult
>          for an attacker to quickly or undetectably modify a system from its console.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.1">
>              <xccdf:title xml:lang="en">Set BIOS Password</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The BIOS (on x86 systems) is the first code to execute during
>            system startup and controls many important system parameters, including which devices
>            the system will try to boot from, and in which order. Assign a password to prevent any
>            unauthorized changes to the BIOS configuration. The exact steps will vary depending on
>            your machine, but are likely to include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Reboot the machine.</xhtml:li><xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical)</xhtml:li><xhtml:li>Navigate the BIOS configuration menu to add a password.</xhtml:li></xhtml:ol>
>            The exact process will be system-specific and the system's
>            hardware manual may provide detailed instructions. This password should prevent
>            attackers with physical access from attempting to change important parameters, such as
>            those described in Sections 2.5.2.2.1 and 2.2.2.2.4. However, an attacker with physical
>            access can usually clear the BIOS password. The password should be written down and
>            stored in a physically-secure location, such as a safe, in the event that it is
>            forgotten and must be retrieved.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.2">
>              <xccdf:title xml:lang="en">Set Boot Loader Password</xccdf:title>
>              <xccdf:description xml:lang="en">
>            During the boot process, the boot loader is responsible for
>            starting the execution of the kernel and passing options to it. The boot loader allows
>            for the selection of different kernels â possibly on different partitions or media.
>            Options it can pass to the kernel include 'single-user mode,' which provides root access
>            without any authentication, and the ability to disable SELinux. To prevent local users
>            from modifying the boot parameters and endangering security, the boot loader
>            configuration should be protected with a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default Fedora boot loader for x86 systems is called GRUB. To protect its 
>            configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Select a password and then generate a hash from it by running: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># grub-md5-crypt </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li><xhtml:li>Insert the following line into /etc/grub.conf immediately after the header 
>                comments. (Use the output from grub-md5-crypt as the value of password-hash ): <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code>password --md5 password-hash </xhtml:code> <xhtml:br/> <xhtml:br/> </xhtml:li><xhtml:li>Verify the permissions on /etc/grub.conf (which is a symlink to ../boot/grub/grub.conf): 
>                <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># chown root:root /boot/grub/grub.conf <xhtml:br/>
>                # chmod 600 /boot/grub/grub.conf</xhtml:code></xhtml:li></xhtml:ol>
>              Boot loaders for other platforms should offer a similar password protection feature.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.5.2.a" operator="equals" type="string">
>                <xccdf:title>User that owns /boot/grub/grub.conf</xccdf:title>
>                <xccdf:description xml:lang="en">Choose user that should own /boot/grub/grub.conf</xccdf:description>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.5.2.b" operator="equals" type="string">
>                <xccdf:title>Group that owns /boot/grub/grub.conf</xccdf:title>
>                <xccdf:description xml:lang="en">Choose group that should own /boot/grub/grub.conf</xccdf:description>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.5.2.c" operator="equals" type="string">
>                <xccdf:title>permissions on /boot/grub/grub.conf</xccdf:title>
>                <xccdf:description xml:lang="en">Choose file permissions on /boot/grub/grub.conf</xccdf:description>
>                <xccdf:value>110000000</xccdf:value>
>                <xccdf:value selector="600">110000000</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set Boot Loader user owner</xccdf:title>
>                <xccdf:description>The /boot/grub/grub.conf file should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4144-2</xccdf:ident>
>                <xccdf:fix>chown root /boot/grub/grub.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20092" value-id="xccdf_cdf_value_var-2.3.5.2.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20092"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.2.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set Boot Loader group owner</xccdf:title>
>                <xccdf:description>The /boot/grub/grub.conf file should be owned by group root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4197-0</xccdf:ident>
>                <xccdf:fix>chown :root /boot/grub/grub.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20093" value-id="xccdf_cdf_value_var-2.3.5.2.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20093"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set permission on /boot/grub/grub.conf</xccdf:title>
>                <xccdf:description>File permissions for /boot/grub/grub.conf should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3923-0</xccdf:ident>
>                <xccdf:fix>chmod 600 /boot/grub/grub.conf</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20094" value-id="xccdf_cdf_value_var-2.3.5.2.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20094"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.2.d" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Set Boot Loader Password</xccdf:title>
>                <xccdf:description>The grub boot loader should have password protection enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3818-2</xccdf:ident>
>                <xccdf:fixtext>Edit /boot/grub/grub.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20095"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.3">
>              <xccdf:title xml:lang="en">Require Authentication for Single-User Mode</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Single-user mode is intended as a system recovery method,
>            providing a single user root access to the system by providing a boot option at startup.
>            By default, no authentication is performed if single-user mode is selected. This
>            provides a trivial mechanism of bypassing security on the machine and gaining root
>            access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To require entry of the root password even if the system is started in
>            single-user mode, add the following line to the /etc/inittab file:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ~~:S:wait:/sbin/sulogin</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Require Authentication for Single-User Mode</xccdf:title>
>                <xccdf:description>The requirement for a password to boot into single-user mode should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4241-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/inittab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20096"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.4">
>              <xccdf:title xml:lang="en">Disable Interactive Boot</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysconfig/init. Add or correct the setting:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            PROMPT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The PROMPT option allows the console user to perform an interactive system
>            startup, in which it is possible to select the set of services which are started on
>            boot. Using interactive boot, the console user could disable auditing, firewalls, or
>            other services, weakening system security.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Interactive Boot</xccdf:title>
>                <xccdf:description>The ability for users to perform interactive startups should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4245-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/init</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20097"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.5">
>              <xccdf:title xml:lang="en">Implement Inactivity Time-out for Login Shells</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If the system does not run X Windows, then the login shells can
>            be configured to automatically log users out after a period of inactivity. The following
>            instructions are not practical for systems which run X Windows, as they will close
>            terminal windows in the X environment. For information on how to automatically lock
>            those systems, see Section 2.3.5.6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To implement a 15-minute idle time-out for the
>            default /bin/bash shell, create a new file tmout.sh in the directory /etc/profile.d with
>            the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            TMOUT=900 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            readonly TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            export TMOUT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To implement a 15-minute idle
>            time-out for the tcsh shell, create a new file autologout.csh in the directory
>            /etc/profile.d with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            set -r autologout 15 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Similar actions should be taken for any other login shells used. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The example time-out here of 15 minutes should be
>            adjusted to whatever your security policy requires. The readonly line for bash and the
>            -r option for tcsh can be omitted if policy allows users to override the value. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The automatic shell logout only occurs when the shell is the foreground process. If, for
>            example, a vi session is left idle, then automatic logout would not occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            When logging in through a remote connection, as with SSH, it may be more effective to set 
>            the timeout value directly through that service. To learn how to set automatic timeout 
>            intervals for SSH, see Section 3.5.2.3.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.3.5.5" operator="equals" type="string">
>                <xccdf:title>Inactivity timout</xccdf:title>
>                <xccdf:description xml:lang="en">Choose allowed duration of inactive SSH connections, shells, and X sessions</xccdf:description>
>                <xccdf:question xml:lang="en">Choose allowed duration of inactive SSH connections, shells and X sessions in minutes</xccdf:question>
>                <xccdf:value>15</xccdf:value>
>                <xccdf:value selector="0_minutes">0</xccdf:value>
>                <xccdf:value selector="10_minutes">10</xccdf:value>
>                <xccdf:value selector="15_minutes">15</xccdf:value>
>                <xccdf:match>^[\d]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.5.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Implement Inactivity Time-out for Login Shells</xccdf:title>
>                <xccdf:description>The idle time-out value for the default /bin/tcsh shell should be: 
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.5.5"/></xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3689-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/profile.d/autologout.csh</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20098" value-id="xccdf_cdf_value_var-2.3.5.5"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20098"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.5.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Implement Inactivity Time-out for Login Shells</xccdf:title>
>                <xccdf:description>The idle time-out value for the default /bin/bash shell should be: 
>              <xccdf:sub idref="xccdf_cdf_value_var-2.3.5.5"/></xccdf:description>
>                <xccdf:warning xml:lang="en">Time out is in seconds</xccdf:warning>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3707-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/profile.d/tmout.sh</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20099" value-id="xccdf_cdf_value_var-2.3.5.5"/>
>                  
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20099"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.6">
>              <xccdf:title xml:lang="en">Configure Screen Locking</xccdf:title>
>              <xccdf:description xml:lang="en">
>            When a user must temporarily leave an account logged-in, screen
>            locking should be employed to prevent passersby from abusing the account. User education
>            and training is particularly important for screen locking to be effective. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A policy should be implemented that trains all users to lock the screen when they plan to
>            temporarily step away from a logged-in account. Automatic screen locking is only meant
>            as a safeguard for those cases where a user forgot to lock the screen.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.6.1">
>                <xccdf:title xml:lang="en">Configure GUI Screen Locking</xccdf:title>
>                <xccdf:description xml:lang="en">
>              In the default GNOME desktop, the screen can be locked by
>              choosing Lock Screen from the System menu. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The gconftool-2 program can be used to
>              enforce mandatory screen locking settings for the default GNOME environment. Run the
>              following commands to enforce idle activation of the screen saver, screen locking, a
>              blank-screen screensaver, and 15-minute idle activation time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:code>
>              # gconftool-2 --direct \
>                            --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ 
>                            --type bool \ 
>                            --set /apps/gnome-screensaver/idle_activation_enabled true 
>              # gconftool-2 --direct \
>                            --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \ 
>                            --type bool \ 
>                            --set /apps/gnome-screensaver/lock_enabled true 
>              # gconftool-2 --direct \
>                            --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
>                            --type string \
>                            --set /apps/gnome-screensaver/mode blank-only 
>              # gconftool-2 --direct \
>                            --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
>                            --type int \
>                            --set /apps/gnome-screensaver/idle_delay 15
>              </xhtml:code></xhtml:pre>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The default setting of 15 minutes for idle
>              activation is reasonable for many office environments, but the setting should conform
>              to whatever policy is defined. The screensaver mode blank-only is selected to conceal
>              the contents of the display from passersby. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Because users should be trained to lock
>              the screen when they step away from the computer, the automatic locking feature is
>              only meant as a backup. The Lock Screen icon from the System menu can also be dragged
>              to the taskbar in order to facilitate even more convenient screen-locking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The root
>              account cannot be screen-locked, but this should have no practical effect as the root
>              account should never be used to log into an X Windows environment, and should only be
>              used to for direct login via console in emergency circumstances. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              For more information
>              about configuring GNOME screensaver, see http://live.gnome.org/GnomeScreensaver. For
>              more information about enforcing preferences in the GNOME environment using the GConf
>              configuration system, see http://www.gnome.org/projects/gconf and the man page
>              gconftool-2(1).</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.6.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Implement Inactivity Time-out for Login Shells</xccdf:title>
>                  <xccdf:description>The idle time-out value for period of inactivity gnome desktop lockout should be 15 minutes</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3315-9</xccdf:ident>
>                  <xccdf:fixtext>(1) via gconftool-2</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20098" value-id="xccdf_cdf_value_var-2.3.5.5"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20100"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.6.1.b" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Implement idle activation of screen saver</xccdf:title>
>                  <xccdf:description>Idle activation of the screen saver should be enabled</xccdf:description>
>                  <xccdf:fixtext>(1) via gconftool-2</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201005"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.6.1.c" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Implement idle activation of screen lock</xccdf:title>
>                  <xccdf:description>Idle activation of the screen lock should be enabled</xccdf:description>
>                  <xccdf:fixtext>(1) via gconftool-2</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201006"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.6.1.d" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Implement blank screen saver</xccdf:title>
>                  <xccdf:description>The screen saver should be blank</xccdf:description>
>                  <xccdf:fixtext>(1) via gconftool-2</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201007"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.6.2">
>                <xccdf:title xml:lang="en">Configure Console Screen Locking</xccdf:title>
>                <xccdf:description xml:lang="en">
>              A console screen locking mechanism is provided in the vlock
>              package, which is not installed by default. If the ability to lock console screens is
>              necessary, install the vlock package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vlock <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Instruct users to invoke the
>              program when necessary, in order to prevent passersby from abusing their login: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ vlock <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The -a option can be used to prevent switching to other virtual consoles.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.5.6.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Configure console screen locking</xccdf:title>
>                  <xccdf:description>The vlock package should be installed</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3910-7</xccdf:ident>
>                  <xccdf:fix>yum install vlock</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20101"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.5.7">
>              <xccdf:title xml:lang="en">Disable Unnecessary Ports</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Though unusual, some systems may be managed only remotely and yet 
>            also exposed to risk from attackers with direct physical access to them. In these cases, 
>            reduce an attackerâs access to the system by disabling unnecessary external ports (e.g. 
>            USB, FireWire, NIC) in the systemâs BIOS.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Disable ports on the system which are not necessary for normal system operation. The exact 
>            steps will vary depending on your machine, but are likely to include: 
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Reboot the machine.</xhtml:li><xhtml:li>Press the appropriate key during the initial boot screen (F2 is typical). </xhtml:li><xhtml:li>Navigate the BIOS conguration menu to disable ports, such as USB, FireWire, and NIC.</xhtml:li></xhtml:ol>
>          </xccdf:description>
>              <xccdf:warning xml:lang="en">Disabling USB ports is particularly unusual and will cause problems 
>            for important input devices such as keyboards or mice attached to the system.</xccdf:warning>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.6">
>            <xccdf:title xml:lang="en">Use a Centralized Authentication Service</xccdf:title>
>            <xccdf:description xml:lang="en">
>          A centralized authentication service is any method of maintaining
>          central control over account and authentication data and of keeping this data synchronized
>          between machines. Such services can range in complexity from a script which pushes
>          centrally-generated password files out to all machines, to a managed scheme such as LDAP
>          or Kerberos. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If authentication information is not centrally managed, it quickly becomes
>          inconsistent, leading to out-of-date credentials and forgotten accounts which should have
>          been deleted. In addition, many older protocols (such as NFS) make use of the UID to
>          identify users over a network. This is not a good practice, and these protocols should be
>          avoided if possible. However, since most sites must still make use of some older
>          protocols, having consistent UIDs and GIDs site-wide is a significant benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Centralized
>          authentication services do have the disadvantage that authentication information must be
>          transmitted over a network, leading to a risk that credentials may be intercepted or
>          manipulated. Therefore, these services must be deployed carefully. The following
>          precautions should be taken when configuring any authentication service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Ensure that authentication information and any sensitive account information 
>              are never sent over the network unencrypted.</xhtml:li><xhtml:li>Ensure that the root account has a local password, to allow recovery in case 
>              of network outage or authentication server failure.</xhtml:li></xhtml:ul>
>           This guide recommends
>          the use of LDAP. Secure configuration of OpenLDAP for clients and servers is described in
>          Section 3.12. Kerberos is also a good choice for a centralized authentication service, but
>          a description of its configuration is beyond the scope of this guide. The NIS service is
>          not recommended, and should be considered obsolete. (See Section 3.2.4.)</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.7">
>            <xccdf:title xml:lang="en">Warning Banners for System Accesses</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Each system should expose as little information about itself as
>          possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          System banners, which are typically displayed just before a login prompt, give
>          out information about the service or the host's operating system. This might include the
>          distribution name and the system kernel version, and the particular version of a network
>          service. This information can assist intruders in gaining access to the system as it can
>          reveal whether the system is running vulnerable software. Most network services can be
>          configured to limit what information is displayed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Many organizations implement security
>          policies that require a system banner provide notice of the system's ownership, provide
>          warning to unauthorized users, and remind authorized users of their consent to monitoring.</xccdf:description>
>            <xccdf:Value id="xccdf_cdf_value_var-2.3.7" operator="equals" type="string">
>              <xccdf:title>login banner verbiage</xccdf:title>
>              <xccdf:description xml:lang="en">Enter an appropriate login banner for your organization</xccdf:description>
>              <xccdf:question xml:lang="en">Enter an appropriate login banner for your organization</xccdf:question>
>              <xccdf:value/>
>              <xccdf:value selector="Empty_text"/>
>            </xccdf:Value>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.7.1">
>              <xccdf:title xml:lang="en">Modify the System Login Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The contents of the file /etc/issue are displayed on the screen
>            just above the login prompt for users logging directly into a terminal. Remote login
>            programs such as SSH or FTP can be configured to display /etc/issue as well.
>            Instructions for configuring each server daemon to show this file can be found in the
>            relevant sections of Chapter 3. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, the system will display the version of the
>            OS, the kernel version, and the host name. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/issue. Replace the default text
>            with a message compliant with the local site policy or a legal disclaimer.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.7.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Modify the System Login Banner</xccdf:title>
>                <xccdf:description>The system login banner text should be: "<xccdf:sub idref="xccdf_cdf_value_var-2.3.7"/>"</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4060-0</xccdf:ident>
>                <xccdf:fixtext>Take value of DOD_text and put it in /etc/issue</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20102" value-id="xccdf_cdf_value_var-2.3.7"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20102"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.3.7.2">
>              <xccdf:title xml:lang="en">Implement a GUI Warning Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            In the default graphical environment, users logging directly
>            into the system are greeted with a login screen provided by the GNOME display manager.
>            The warning banner should be displayed in this graphical environment for these
>            users.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The files for the default RHEL theme can be found in
>            /usr/share/gdm/themes/RHEL. Add the following sample block of XML to
>            /usr/share/gdm/themes/RHEL/RHEL.xml after the first two "pixmap"
>            entries:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:pre xmlns:xhtml="http://www.w3.org/1999/xhtml">
>            &lt;item type="rect"&gt;
>              &lt;pos anchor="n" x="50%" y="10" width="box" height="box"/&gt;
>              &lt;box&gt;
>                &lt;item type="label"&gt;
>                  &lt;normal font="Sans 14" color="#ffffff"/&gt;
>                    &lt;text&gt;Insert the text of your warning banner here.&lt;/text&gt;
>                &lt;/item&gt;
>              &lt;/box&gt;
>            &lt;/item&gt;
>            </xhtml:pre>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The
>            full syntax that GDM theme files expect is documented elsewhere, but the above XML will
>            create a text box centered at the top of the screen. The font, text color, and exact
>            positioning can all be easily modified by editing the appropriate values. The latest
>            current GDM theme manual can be found at http://www.gnome.org/
>            projects/gdm/docs/thememanual.html.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.3.7.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Implement a GUI Warning Banner</xccdf:title>
>                <xccdf:description>The direct gnome login warning banner text should be: "<xccdf:sub idref="xccdf_cdf_value_var-2.3.7"/>"</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4188-9</xccdf:ident>
>                <xccdf:fixtext>(1) via RHEL.xml</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20102" value-id="xccdf_cdf_value_var-2.3.7"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20103"/>
>                  
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4">
>          <xccdf:title xml:lang="en">SELinux</xccdf:title>
>          <xccdf:description xml:lang="en">
>        SELinux is a feature of the Linux kernel which can be used to guard
>        against misconfigured or compromised programs. SELinux enforces the idea that programs
>        should be limited in what files they can access and what actions they can take. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        The default
>        SELinux policy, as configured on RHEL5, has been sufficiently developed and debugged that it
>        should be usable on almost any Red Hat machine with minimal configuration and a small amount
>        of system administrator training. This policy prevents system services â including most of
>        the common network-visible services such as mail servers, ftp servers, and DNS servers â
>        from accessing files which those services have no valid reason to access. This action alone
>        prevents a huge amount of possible damage from network attacks against services, from
>        trojaned software, and so forth. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        This guide recommends that SELinux be enabled using the
>        default (targeted) policy on every Red Hat system, unless that system has requirements which
>        make a stronger policy appropriate.</xccdf:description>
>          <xccdf:reference>Frank Mayer, K. M., and Caplan, D. SELinux by Example: Using Security Enhanced Linux</xccdf:reference>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.1">
>            <xccdf:title xml:lang="en">How SELinux Works</xccdf:title>
>            <xccdf:description xml:lang="en">
>          In the traditional Linux/Unix security model, known as
>          Discretionary Access Control (DAC), processes run under a user and group identity, and
>          enjoy that user and group's access rights to all files and other objects on the system.
>          This system brings with it a number of security problems, most notably: that processes
>          frequently do not need and should not have the full rights of the user who ran them; that
>          user and group access rights are not very granular, and may require administrators to
>          allow too much access in order to allow the access that is needed; that the Unix
>          filesystem contains many resources (such as temporary directories and world-readable
>          files) which are accessible to users who have no legitimate reason to access them; and
>          that legitimate users can easily provide open access to their own resources through
>          confusion or carelessness. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          SELinux provides a Mandatory Access Control (MAC) system that
>          greatly augments the DAC model. Under SELinux, every process and every object (e.g. file,
>          socket, pipe) on the system is given a security context, a label which include detailed
>          type information about the object. The kernel allows processes to access objects only if
>          that access is explicitly allowed by the policy in effect. The policy defines transitions,
>          so that a user can be allowed to run software, but the software can run under a different
>          context than the user's default. This automatically limits the damage that the software
>          can do to files accessible by the calling user â the user does not need to take any action
>          to gain this benefit. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          For an action to occur, both the traditional DAC permissions must be
>          satisifed as well as SELinux's MAC rules. If either do not permit the action, then it will
>          not be allowed. In this way, SELinux rules can only make a system's permissions more
>          restrictive and secure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          SELinux requires a complex policy in order to allow all the
>          actions required of a system under normal operation. Three such policies have been
>          designed for use with RHEL5, and are included with the system. In increasing order of
>          power and complexity, they are: targeted, strict, and mls. The targeted SELinux policy
>          consists mostly of Type Enforcement (TE) rules, and a small number of Role-Based Access
>          Control (RBAC) rules. It restricts the actions of many types of programs, but leaves
>          interactive users largely unaffected. The strict policy also uses TE and RBAC rules, but
>          on more programs and more aggressively. The mls policy implements Multi-Level Security
>          (MLS), which introduces even more kinds of labels â sensitivity and category â and rules
>          that govern access based on these. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The remainder of this section provides guidance for the
>          configuration of the targeted policy and the administration of systems under this policy.
>          Some pointers will be provided for readers who are interested in further strengthening
>          their systems by using one of the stricter policies provided with RHEL5 or in writing
>          their own policy.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.2">
>            <xccdf:title xml:lang="en">Enable SELinux</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Edit the file /etc/selinux/config. Add or correct the following
>          lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUX=enforcing <xhtml:br/>
>          SELINUXTYPE=targeted <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Edit the file /etc/grub.conf. Ensure that
>          the following arguments DO NOT appear on any kernel command line in the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">selinux=0 <xhtml:br/>
>          enforcing=0 <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The directive SELINUX=enforcing enables SELinux at boot time. If SELinux is
>          causing a lot of problems or preventing the system from booting, it is possible to boot
>          into the warning-only mode SELINUX=permissive for debugging purposes. Make certain to
>          change the mode back to enforcing after debugging, set the filesystems to be relabelled
>          for consistency using the command touch /.autorelabel, and reboot. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          However, the RHEL5
>          default SELinux configuration should be sufficiently reasonable that most systems will
>          boot without serious problems. Some applications that require deep or unusual system
>          privileges, such as virtual machine software, may not be compatible with SELinux in its
>          default configuration. However, this should be uncommon, and SELinux's application support
>          continues to improve. In other cases, SELinux may reveal unusual or insecure program
>          behavior by design. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The directive SELINUXTYPE=targeted configures SELinux to use the
>          default targeted policy. See Section 2.4.6 if a stricter policy is appropriate for your
>          site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The SELinux boot mode specified in /etc/selinux/config can be overridden by
>          command-line arguments passed to the kernel. It is necessary to check grub.conf to ensure
>          that this has not been done and to protect the bootloader as described in Section 2.3.5.2.</xccdf:description>
>            <xccdf:Value id="xccdf_cdf_value_var-2.4.2.c" operator="equals" type="string">
>              <xccdf:title>SELinux state</xccdf:title>
>              <xccdf:description xml:lang="en"> 
>            enforcing - SELinux security policy is enforced. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            permissive - SELinux prints warnings instead of enforcing.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            disabled - SELinux is fully disabled.
>          </xccdf:description>
>              <xccdf:question xml:lang="en">Set the SELinux state</xccdf:question>
>              <xccdf:value>enforcing</xccdf:value>
>              <xccdf:value selector="enforcing">enforcing</xccdf:value>
>              <xccdf:value selector="permissive">permissive</xccdf:value>
>              <xccdf:value selector="disabled">disabled</xccdf:value>
>              <xccdf:match>enforcing|permissive|disabled</xccdf:match>
>              <xccdf:choices mustMatch="1">
>                <xccdf:choice>enforcing</xccdf:choice>
>                <xccdf:choice>permissive</xccdf:choice>
>                <xccdf:choice>disabled</xccdf:choice>
>              </xccdf:choices>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-2.4.2.d" operator="equals" type="string">
>              <xccdf:title>SELinux policy</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Type of policy in use. Possible values are:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            targeted - Only targeted network daemons are protected.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            strict - Full SELinux protection.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            mls - Multiple levels of security</xccdf:description>
>              <xccdf:question xml:lang="en">Set the SELinux policy</xccdf:question>
>              <xccdf:value>targeted</xccdf:value>
>              <xccdf:value selector="targeted">targeted</xccdf:value>
>              <xccdf:value selector="strict">strict</xccdf:value>
>              <xccdf:value selector="mls">mls</xccdf:value>
>              <xccdf:match>targeted|strict|mls</xccdf:match>
>              <xccdf:choices mustMatch="1">
>                <xccdf:choice>targeted</xccdf:choice>
>                <xccdf:choice>strict</xccdf:choice>
>                <xccdf:choice>mls</xccdf:choice>
>              </xccdf:choices>
>            </xccdf:Value>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.2.1">
>              <xccdf:title xml:lang="en">Ensure SELinux is Properly Enabled</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Run the command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ /usr/sbin/sestatus<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the system is properly conï¬gured, the output should indicate:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>SELinux status: enabled</xhtml:li><xhtml:li>Current mode: enforcing</xhtml:li><xhtml:li>Mode from conï¬g ï¬le: enforcing</xhtml:li><xhtml:li>Policy from conï¬g ï¬le: targeted</xhtml:li></xhtml:ul></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.2.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure SELinux is Properly Enabled</xccdf:title>
>                <xccdf:description>Check output of /usr/sbin/sestatus</xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201035"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.2.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Enable SELinux in /etc/grub.conf</xccdf:title>
>              <xccdf:description>SELinux should NOT be disabled in /etc/grub.conf.  Check that selinux=0 is not found</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3977-6</xccdf:ident>
>              <xccdf:fixtext>Remove offending line from /etc/grub.conf</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20104"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.2.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Enable SELinux enforcement in /etc/grub.conf</xccdf:title>
>              <xccdf:description>SELinux enforcement should NOT be disabled in /etc/grub.conf.  Check that enforcing=0 is not found.</xccdf:description>
>              <xccdf:fixtext>Remove offending line from /etc/grub.conf</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20105"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.2.c" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set the SELinux state</xccdf:title>
>              <xccdf:description>The SELinux state should be: <xccdf:sub idref="xccdf_cdf_value_var-2.4.2.c"/></xccdf:description>
>              <xccdf:fixtext>Edit /etc/selinux/config</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20106" value-id="xccdf_cdf_value_var-2.4.2.c"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20106"/>
>                
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.2.d" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set the SELinux policy</xccdf:title>
>              <xccdf:description>The SELinux policy should be set appropriately.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3624-4</xccdf:ident>
>              <xccdf:fixtext>Edit /etc/selinux/config</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20107" value-id="xccdf_cdf_value_var-2.4.2.d"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20107"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.3">
>            <xccdf:title xml:lang="en">Disable Unnecessary SELinux Daemons</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Several daemons are installed by default as part of the RHEL5
>          SELinux support mechanism. These daemons may improve the system's ability to enforce
>          SELinux policy in a useful fashion, but may also represent unnecessary code running on the
>          machine, increasing system risk. If these daemons are not needed on your system, they
>          should be disabled.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.3.1">
>              <xccdf:title xml:lang="en">Disable and Remove SETroubleshoot if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is there a mission-critical reason to allow users to view
>            SELinux denial information using the sealert GUI? If not, disable the service and remove
>            the RPM: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig setroubleshoot off <xhtml:br/>
>            # yum erase setroubleshoot <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The setroubleshoot
>            service is a facility for notifying the desktop user of SELinux denials in a
>            user-friendly fashion. SELinux errors may provide important information about intrusion
>            attempts in progress, or may give information about SELinux configuration problems which
>            are preventing correct system operation. In order to maintain a secure and usable
>            SELinux installation, error logging and notification is necessary. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However,
>            setroubleshoot is a service which has complex functionality, which runs a daemon and
>            uses IPC to distribute information which may be sensitive, or even to allow users to
>            modify SELinux settings, and which does not yet implement real authentication
>            mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit
>            functionality to monitor SELinux's behavior. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In addition, since setroubleshoot
>            automatically runs client-side code whenever a denial occurs, regardless of whether the
>            setroubleshootd daemon is running, it is recommended that the program be removed
>            entirely unless it is needed.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.3.1.a" selected="false" weight="10.0">
>                <xccdf:title>Remove SETroubleshoot if Possible</xccdf:title>
>                <xccdf:description>The setroubleshoot package should be uninstalled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4148-3</xccdf:ident>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20108"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.3.1.b" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable SETroubleshoot if Possible</xccdf:title>
>                <xccdf:description>The setroubleshoot service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4254-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20109"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.3.2">
>              <xccdf:title xml:lang="en">Disable MCS Translation Service (mcstrans) if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Unless there is some overriding need for the convenience of
>            category label translation, disable the MCS translation service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mcstrans off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The mcstransd daemon provides the category label translation information defined in
>            /etc/selinux/targeted/ setrans.conf to client processes which request this information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Category labelling is unlikely to be used except in sites with special requirements.
>            Therefore, it should be disabled in order to reduce the amount of potentially vulnerable
>            code running on the system. See Section 2.4.6 for more information about systems which
>            use category labelling.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.3.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable MCS Translation Service (mcstrans) if Possible</xccdf:title>
>                <xccdf:description>The mcstrans service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3668-1</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20110"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.3.3">
>              <xccdf:title xml:lang="en">Restorecon Service (restorecond)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The restorecond daemon monitors a list of files which are
>            frequently created or modified on running systems, and whose SELinux contexts are not
>            set correctly. It looks for creation events related to files listed in /etc/
>            selinux/restorecond.conf, and sets the contexts of those files when they are discovered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The restorecond program is fairly simple, so it brings low risk, but, in its default
>            configuration, does not add much value to a system. An automated program such as
>            restorecond may be used to monitor problematic files for context problems, or system
>            administrators may be trained to check file contexts of newly-created files using the
>            command ls -lZ, and to repair contexts manually using the restorecon command. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This guide
>            makes no recommendation either for or against the use of restorecond.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.3.3.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable restorecon Service (restorecond)</xccdf:title>
>                <xccdf:description>The restorecond service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4129-3</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20111"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.4">
>            <xccdf:title xml:lang="en">Check for Unconfined Daemons</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Daemons that SELinux policy does not know about will inherit the
>          context of the parent process. Because daemons are launched during startup and descend
>          from the init process, they inherit the initrc t context. This is a problem because it may
>          cause AVC denials, or it could allow privileges that the daemon does not require. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          To check for unconfined daemons, run the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -eZ | egrep "initrc" | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'<xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          It should produce no output in a well-configured system.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.5">
>            <xccdf:title xml:lang="en">Check for Unconfined Daemons</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Device ï¬les are used for communication with important system 
>          resources. SELinux contexts should exist for these. If a device ï¬le is not labeled, then 
>          misconï¬guration is likely.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          To check for unlabeled device ï¬les, run the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z | grep unlabeled_t<xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          It should produce no output in a well-conï¬gured system.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.4.5.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Check for Unconfined Daemons</xccdf:title>
>              <xccdf:description>Check for device ï¬le that is not labeled.</xccdf:description>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201115"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.6">
>            <xccdf:title xml:lang="en">Debugging SELinux Policy Errors</xccdf:title>
>            <xccdf:description xml:lang="en">
>          SELinux's default policies have improved significantly over time,
>          and most systems should have few problems using the targeted SELinux policy. However,
>          policy problems may still occasionally prevent accesses which should be allowed. This is
>          especially true if your site runs any custom or heavily modified applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          This section gives some brief guidance on discovering and repairing SELinux-related access
>          problems. Guidance given here is necessarily incomplete, but should provide a starting
>          point for debugging. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If you suspect that a permission error or other failure may be caused
>          by SELinux (and are certain that misconfiguration of the traditional Unix permissions are
>          not the cause of the problem), search the audit logs for AVC events: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch -m AVC,USER_AVC -sv no <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The output of this command will be a set of events. The timestamp,
>          along with the comm and pid fields, should indicate which line describes the problem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Look
>          up the context under which the process is running. Assuming the process ID is PID , find
>          the context by running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ps -p PID -Z <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The AVC denial message should identify the
>          offending file or directory. The name field should contain the filename (not the full
>          pathname by default), and the ino field can be used to search by inode, if necessary.
>          Assuming the file is FILE , find its SELinux context: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ls -Z FILE <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          An administrator should
>          suspect an SELinux misconfiguration whenever a program gets a 'permission denied' error
>          but the standard Unix permissions appear to be correct, or a program fails mysteriously on
>          a task which seems to involve file access or network communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          As described in
>          Section 2.4.1, SELinux augments each process with a context providing detailed type
>          information about that process. The contexts under which processes run may be referred to
>          as subject contexts. Similarly, each filesystem object is given a context. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The targeted
>          policy consists of a set of rules, each of which allows a subject type to perform some
>          operation on a given object type. The kernel stores information about these access
>          decisions in an structure known as an Access Vector Cache (AVC), so authorization
>          decisions made by the system are audited with the type AVC. It is also possible for
>          userspace modules to implement their own policies based on SELinux, and these decisions
>          are audited with the type USER_AVC. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          AVC denials are logged by the kernel audit facility
>          (see Section 2.6.2 for configuration guidance on this subsystem) and may also be visible
>          via setroubleshoot. This guide recommends the use of the audit userspace utilities to find
>          AVC errors. It is possible to manually locate these errors by looking in the file
>          /var/log/audit/audit.log or in /var/log/messages (depending on the syslog configuration in
>          effect), but the ausearch tool allows finegrained searching on audit event types, which
>          may be necessary if system call auditing is enabled as well. The command line above tells
>          ausearch to look for kernel or userspace AVC messages (-m AVC,USER AVC) where the access
>          attempt did not succeed (-sv no). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If an AVC denial occurs when it should not have, the
>          problem is generally one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The program is running with the wrong subject
>              context. This could happen as a result of an incorrect context on the program's executable
>              file, which could happen if 3rd party software is installed and not given appropriate
>              SELinux file contexts. </xhtml:li><xhtml:li>The file has the wrong object context because the current file's
>              context does not match the specification. This can occur when files are created or
>              modified in certain ways. It is not atypical for configuration files to get the wrong
>              contexts after a system configuration change performed by an administrator. To repair the
>              file, use the command: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># restorecon -v FILE <xhtml:br/></xhtml:code>
>              <xhtml:br/>
>              This should produce output indicating that the
>              file's context has been changed. The /usr/bin/chcon program can be used to manually change
>              a file's context, but this is problematic because the change will not persist if it does
>              not agree with the policy-defined contexts applied by restorecon.</xhtml:li><xhtml:li>The file has the wrong
>              object context because the specification is either incorrect or does not match the way the
>              file is being used on this system. In this case, it will be necessary to change the system
>              file contexts. <xhtml:br/>
>              <xhtml:br/>
>              Run the system-config-selinux tool, and go to the 'File Labeling' menu.
>              This will give a list of files and wildcards corresponding to file labelling rules on the
>              system. Add a rule which maps the file in question to the desired context. As an
>              alternative, file contexts can be modified from the command line using the semanage(8)
>              tool.</xhtml:li><xhtml:li>The program and file have the correct contexts, but the policy should allow some
>              operation between those two contexts which is currently not allowed. In this case, it will
>              be necessary to modify the SELinux policy. <xhtml:br/>
>              <xhtml:br/>
>              Run the system-config-selinux tool, and go to
>              the 'Boolean' menu. If your configuration is supported, but is not the Red Hat default,
>              then there will be a boolean allowing real-time modification of the SELinux policy to fix
>              the problem. Browse through the items in this menu, looking for one which is related to
>              the service which is not working. As an alternative, SELinux booleans can be modified from
>              the command line using the getsebool(8) and setsebool(8) tools. <xhtml:br/>
>              <xhtml:br/>
>              If there is no boolean, it
>              will be necessary to create and load a policy module. A simple way to build a policy
>              module is to use the audit2allow tool. This tool can take input in the format of AVC
>              denial messages, and generate syntactically correct Type Enforcement rules which would be
>              sufficient to prevent those denials. For example, to generate and display rules which
>              would allow all kernel denials seen in the past five minutes, run: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow <xhtml:br/></xhtml:code>
>              <xhtml:br/>
>              It is possible to use audit2allow to directly create a module
>              package suitable for loading into the kernel policy. To do this, invoke audit2allow with
>              the -M flag: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># ausearch -m AVC -sv no -ts recent | audit2allow -M localmodule <xhtml:br/></xhtml:code>
>              <xhtml:br/>
>              If this is
>              successful, several lines of output should appear. Review the generated TE rules in the
>              file localmodule .te and ensure that they express what you wish to allow. <xhtml:br/>
>              <xhtml:br/>
>              The file
>              localmodule .pp should also have been created. This file is a policy module package that
>              can be loaded into the kernel. To do so, use system-config-selinux, go to the 'Policy
>              Module' menu and use the 'Add' button to enable your module package in SELinux, or load it
>              from the command line using semodule(8): <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># semodule -i localmodule .pp <xhtml:br/></xhtml:code>
>              <xhtml:br/>
>              Section 45.2 of [9] covers this procedure in detail.</xhtml:li></xhtml:ul></xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.7">
>            <xccdf:title xml:lang="en">Further Strengthening</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The recommendations up to this point have discussed how to
>          configure and maintain a system under the default configuration of the targeted policy,
>          which constrains only the actions of daemons and system software. This guide strongly
>          recommends that any site which is not currently using SELinux at all transition to the
>          targeted policy, to gain the substantial security benefits provided by that policy.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          However, the default policy provides only a subset of the full security gains available
>          from using SELinux. In particular, the SELinux policy is also capable of constraining the
>          actions of interactive users, of providing compartmented access by sensitivity level (MLS)
>          and/or category (MCS), and of restricting certain types of system actions using booleans
>          beyond the RHEL5 defaults. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          This section introduces other uses of SELinux which may be
>          possible, and provides links to some outside resources about their use. Detailed
>          description of how to implement these steps is beyond the scope of this guide.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.7.1">
>              <xccdf:title xml:lang="en">Strengthen the Default SELinux Boolean Configuration</xccdf:title>
>              <xccdf:description xml:lang="en">
>            SELinux booleans are used to enable or disable segments of
>            policy to comply with site policy. Booleans may apply to the entire system or to an
>            individual daemon. For instance, the boolean allow execstack, if enabled, allows
>            programs to make part of their stack memory region executable. This would apply to all
>            programs on the system. The boolean ftp home dir allows ftpd processes to access user
>            home directories, and applies only to daemons which implement FTP. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The command <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ getsebool -a <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            lists the values of all SELinux booleans on the system. Section 2.4.5
>            discussed loosening boolean values in order to debug functionality problems which occur
>            under more restrictive defaults. It is also useful to examine and strengthen the boolean
>            settings, to disable functionality which is not required by legitimate programs on your
>            system, but which might be symptomatic of an attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See the manpages booleans(8),
>            getsebool(8), and setsebool(8) for general information about booleans. There are also
>            manual pages for several subsystems which discuss the use of SELinux with those systems.
>            Examples include ftpd selinux(8), httpd selinux(8), and nfs selinux(8). Another good
>            reference is the html documentation distributed with the selinux-policy RPM. This
>            documentation is stored under <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            /usr/share/doc/selinux-policy-version/html/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The pages
>            global tunables.html and global booleans.html may be useful when examining booleans.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.7.2">
>              <xccdf:title xml:lang="en">Use a Stronger Policy</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Using a stronger policy can greatly enhance security, but will
>            generally require customization to be compatible with the particular system's purpose,
>            and this may be costly or time consuming. Under the targeted policy, interactive
>            processes are given the type unconfined t, so interactive users are not constrained by
>            SELinux even if they attempt to take strange or malicious actions. The first alternative
>            policy available with RHEL5's SELinux distribution, called strict, extends the
>            protections offered by the default policy from daemons and system processes to all
>            processes. To use the strict policy, first ensure that the policy module is installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-strict <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Then edit /etc/selinux/config and correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=strict <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The mls policy type can be used to enforce sensitivity or category
>            labelling, and requires site-specific configuration of these labels in order to be
>            useful. To use this policy, install the appropriate policy module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install selinux-policy-mls <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Then edit /etc/selinux/config and correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">SELINUXTYPE=mls</xhtml:code></xccdf:description>
>              <xccdf:warning xml:lang="en">
>            Note: Switching between policies typically requires the entire disk to be relabelled, so
>            that files get the appropriate SELinux contexts under the new policy. Boot with the
>            additional grub command-line options <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">enforcing=0 single autorelabel </xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            to relabel the disk in single-user mode, then reboot normally.</xccdf:warning>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.4.8">
>            <xccdf:title xml:lang="en">SELinux References</xccdf:title>
>            <xccdf:description xml:lang="en">
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
>                <xhtml:li>NSA SELinux resources:<xhtml:br/>
>              <xhtml:ul><xhtml:li>Web page: http://www.nsa.gov/selinux/</xhtml:li><xhtml:li>Mailing list: selinux@tycho.nsa.gov <xhtml:br/>
>                  List information at: http://www.nsa.gov/selinux/info/list.cfm</xhtml:li></xhtml:ul>
>            </xhtml:li>
>                <xhtml:li>Fedora SELinux resources:<xhtml:br/>
>              <xhtml:ul><xhtml:li>FAQ: http://docs.fedoraproject.org/selinux-faq/</xhtml:li><xhtml:li>Wiki: http://fedoraproject.org/wiki/SELinux/</xhtml:li><xhtml:li>Mailing list: fedora-selinux-list@redhat.com <xhtml:br/>
>                  List information at:
>                  https://www.redhat.com/mailman/listinfo/fedora-selinux-list</xhtml:li></xhtml:ul>
>            </xhtml:li>
>                <xhtml:li>Chapters 43â45 of Red Hat Enterprise Linux 5: Deployment Guide [9]</xhtml:li>
>                <xhtml:li>The book SELinux by Example: Using Security Enhanced Linux [13]</xhtml:li>
>              </xhtml:ul>
>            </xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5">
>          <xccdf:title xml:lang="en">Network Configuration and Firewalls</xccdf:title>
>          <xccdf:description xml:lang="en">
>        Most machines must be connected to a network of some sort, and this
>        brings with it the substantial risk of network attack. This section discusses the security
>        impact of decisions about networking which must be made when configuring a system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        This section also discusses firewalls, network access controls, and other network security
>        frameworks, which allow system-level rules to be written that can limit attackers' ability
>        to connect to your system. These rules can specify that network traffic should be allowed or
>        denied from certain IP addresses, hosts, and networks. The rules can also specify which of
>        the system's network services are available to particular hosts or networks.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.1">
>            <xccdf:title xml:lang="en">Kernel Parameters which Affect Networking</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The sysctl utility is used to set a number of parameters which
>          affect the operation of the Linux kernel. Several of these parameters are specific to
>          networking, and the configuration options in this section are recommended.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.1.1">
>              <xccdf:title xml:lang="en">Network Parameters for Hosts Only</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is this system going to be used as a firewall or gateway to
>            pass IP traffic between different networks? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If not, edit the file /etc/sysctl.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">net.ipv4.ip_forward = 0 <xhtml:br/>
>            net.ipv4.conf.all.send_redirects = 0 <xhtml:br/>
>            net.ipv4.conf.default.send_redirects = 0 <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These settings disable hosts from
>            performing network functionality which is only appropriate for routers.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable net.ipv4.conf.default.send_redirects for Hosts Only</xccdf:title>
>                <xccdf:description>The default setting for sending ICMP redirects should be disabled for network interfaces.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4151-7</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.default.send_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20112"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.1.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable net.ipv4.conf.all.send_redirects for Hosts Only</xccdf:title>
>                <xccdf:description>Sending ICMP redirects should be disabled for all interfaces.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4155-8</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.send_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20113"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.1.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable net.ipv4.ip forward for Hosts Only</xccdf:title>
>                <xccdf:description>IP forwarding should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3561-8</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.ip_forward</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20114"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.1.2">
>              <xccdf:title xml:lang="en">Network Parameters for Hosts and Routers</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysctl.conf and add or correct the following
>            lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.all.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.all.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.all.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.all.log_martians = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.default.accept_source_route = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.default.accept_redirects = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.default.secure_redirects = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.icmp_echo_ignore_broadcasts = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.icmp_ignore_bogus_error_messages = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.tcp_syncookies = 1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.all.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            net.ipv4.conf.default.rp_filter = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These options
>            improve Linux's ability to defend against certain types of IPv4 protocol attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The
>            accept source route, accept redirects, and secure redirects options are turned off to
>            disable IPv4 protocol features which are considered to have few legitimate uses and to
>            be easy to abuse. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The net.ipv4.conf.all.log martians option logs several types of
>            suspicious packets, such as spoofed packets, source-routed packets, and redirects. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The icmp echo ignore broadcasts icmp ignore bogus error messages options protect against
>            ICMP attacks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The tcp syncookies option uses a cryptographic feature called SYN cookies
>            to allow machines to continue to accept legitimate connections when faced with a SYN
>            flood attack. See [12] for further information on this option. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The rp filter option
>            enables RFC-recommended source validation. It should not be used on machines which are
>            routers for very complicated networks, but is helpful for end hosts and routers serving
>            small networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For more information on any of these, see the kernel source
>            documentation file /Documentation/networking/ip-sysctl.txt.2</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.a" operator="equals" type="boolean">
>                <xccdf:title>Deactivating "source routed packets"</xccdf:title>
>                <xccdf:description xml:lang="en">Trackers could be using source-routed packets to generate traffic that seems to be intra-net, but actually was created outside and has been redirected.</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable source routed packets</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.b" operator="equals" type="boolean">
>                <xccdf:title>ICMP redirect messages</xccdf:title>
>                <xccdf:description xml:lang="en">Disable ICMP Redirect Acceptance?</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable ICMP redirect messages</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.c" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.all.secure_redirects</xccdf:title>
>                <xccdf:description xml:lang="en">Enable to prevent hijacking of routing path by only allowing redirects from gateways known in routing table. </xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable IPv4 prevent hijacking of routing paths</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.d" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.all.log_martians</xccdf:title>
>                <xccdf:description xml:lang="en">Disable so you don't Log Spoofed Packets, Source Routed Packets, Redirect Packets </xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable IPv4 logging Spoofed packets, source routed packets and redirect packets</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.e" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.default.accept_source_route</xccdf:title>
>                <xccdf:description xml:lang="en">Disable IP source routing?</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable IPv4 source routing</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.f" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.default.accept_redirects</xccdf:title>
>                <xccdf:description xml:lang="en">Disable ICMP Redirect Acceptance?</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable default IPv4 ICMP Redirect Acceptance</xccdf:question>
>                <xccdf:value>0</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.g" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.default.secure_redirects</xccdf:title>
>                <xccdf:description xml:lang="en">Log packets with impossible addresses to kernel log?</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable IPv4 logging packets with impossible addresses to kernel log</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.h" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.icmp_echo_ignore_broadcast</xccdf:title>
>                <xccdf:description xml:lang="en">Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable IPv4 ignoring ICMP ECHO and TIMESTAMP requests from broadcast/multicast</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.i" operator="equals" type="boolean">
>                
>                <xccdf:title>net.ipv4.icmp_ignore_bogus_error_messages</xccdf:title>
>                <xccdf:description xml:lang="en">Enable to prevent certain types of attacks</xccdf:description>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.j" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.tcp_syncookie</xccdf:title>
>                <xccdf:description xml:lang="en">Enable to turn on TCP SYN Cookie Protection</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable TCP SYN Cookie Protection</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.k" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.all.rp_filter</xccdf:title>
>                <xccdf:description xml:lang="en">Enable to enforce sanity checking, also called ingress filtering or egress filtering.  The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. </xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable all enforcing sanity checks</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.5.1.2.l" operator="equals" type="boolean">
>                <xccdf:title>net.ipv4.conf.default.rp_filter</xccdf:title>
>                <xccdf:description xml:lang="en">Enables source route verification</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable default source route verification</xccdf:question>
>                <xccdf:value>1</xccdf:value>
>                <xccdf:value selector="enabled">1</xccdf:value>
>                <xccdf:value selector="disabled">0</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.all.accept_source_route for Hosts and Routers</xccdf:title>
>                <xccdf:description>Accepting source routed packets should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.a"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4236-6</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.accept_source_route</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20115" value-id="xccdf_cdf_value_var-2.5.1.2.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20115"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.all.accept_redirects for Hosts and Routers</xccdf:title>
>                <xccdf:description>Accepting ICMP redirects should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.b"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4217-6</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.accept_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20116" value-id="xccdf_cdf_value_var-2.5.1.2.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20116"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.all.secure_redirects for Hosts and Routers</xccdf:title>
>                <xccdf:description>Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.c"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3472-8</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.secure_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20117" value-id="xccdf_cdf_value_var-2.5.1.2.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20117"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.d" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.all.log_martians for Hosts and Routers</xccdf:title>
>                <xccdf:description>Logging of "martian" packets (those with impossible addresses) should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.d"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4320-8</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.log_martians</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20118" value-id="xccdf_cdf_value_var-2.5.1.2.d"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20118"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.e" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.default.accept_source_route for Hosts and Routers</xccdf:title>
>                <xccdf:description>The default setting for accepting source routed packets should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.e"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4091-5</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.default.accept_source_route</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20119" value-id="xccdf_cdf_value_var-2.5.1.2.e"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20119"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.f" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.default.accept_redirects for Hosts and Routers</xccdf:title>
>                <xccdf:description>The default setting for accepting ICMP redirects should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.f"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4186-3</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.default.accept_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20120" value-id="xccdf_cdf_value_var-2.5.1.2.f"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20120"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.g" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.default.secure_redirects for Hosts and Routers</xccdf:title>
>                <xccdf:description>The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.g"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3339-9</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.default.secure_redirects</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20121" value-id="xccdf_cdf_value_var-2.5.1.2.g"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20121"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.h" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.icmp_echo_ignore_broadcasts for Hosts and Routers</xccdf:title>
>                <xccdf:description>Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.h"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3644-2</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.icmp_echo_ignore_broadcasts</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20122" value-id="xccdf_cdf_value_var-2.5.1.2.h"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20122"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.i" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.icmp_ignore_bogus_error_messages for Hosts and Routers</xccdf:title>
>                <xccdf:description>Ignoring bogus ICMP responses to broadcasts should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.i"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4133-5</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.icmp_ignore_bogus_error_messages</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20123" value-id="xccdf_cdf_value_var-2.5.1.2.i"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20123"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.j" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.tcp_syncookies for Hosts and Routers</xccdf:title>
>                <xccdf:description>Sending TCP syncookies should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.j"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4265-5</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.tcp_syncookies</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20124" value-id="xccdf_cdf_value_var-2.5.1.2.j"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20124"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.k" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.all.rp_filter for Hosts and Routers</xccdf:title>
>                <xccdf:description>Performing source validation by reverse path should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.k"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4080-8</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.all.rp_filter</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20125" value-id="xccdf_cdf_value_var-2.5.1.2.k"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20125"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.1.2.l" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set net.ipv4.conf.default.rp_filter for Hosts and Routers</xccdf:title>
>                <xccdf:description>The default setting for performing source validation by reverse path should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.1.2.l"/> for all interfaces as appropriate.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3840-6</xccdf:ident>
>                <xccdf:fixtext>(1) via sysctl - net.ipv4.conf.default.rp_filter</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20126" value-id="xccdf_cdf_value_var-2.5.1.2.l"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20126"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2">
>            <xccdf:title xml:lang="en">Wireless Networking</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Wireless networking (sometimes referred to as 802.11 or Wi-Fi)
>          presents a serious security risk to sensitive or classified systems and networks. Wireless
>          networking hardware is much more likely to be included in laptop or portable systems than
>          desktops or servers. See Section 3.3.14 for information on Bluetooth wireless support.
>          Bluetooth serves a different purpose and possesses a much shorter range, but it still
>          presents serious security risks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Removal of hardware is the only way to absolutely ensure
>          that the wireless capability remains disabled. If it is completely impractical to remove
>          the wireless hardware, and site policy still allows the device to enter sensitive spaces,
>          every effort to disable the capability via software should be made. In general,
>          acquisition policy should include provisions to prevent the purchase of equipment that
>          will be used in sensitive spaces and includes wireless capabilities.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2.1">
>              <xccdf:title xml:lang="en">Remove Wireless Hardware if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Identifying the wireless hardware is the first step in removing
>            it. The system's hardware manual should contain information on its wireless
>            capabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Wireless hardware included with a laptop typically takes the form of a
>            mini-PCI card or PC card. Other forms include devices which plug into USB or Ethernet
>            ports, but these should be readily apparent and easy to remove from the base system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A PC Card (originally called a PCMCIA card) is designed to be easy to remove, though it
>            may be hidden when inserted into the system. Frequently, there will be one or more
>            buttons near the card slot that, when pressed, eject the card from the system. If no
>            card is ejected, the slot is empty. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A mini-PCI card is approximately credit-card sized
>            and typically accessible via a removable panel on the underside of the laptop. Removing
>            the panel may require simple tools. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In addition to manually inspecting the hardware, it
>            is also possible to query the system for its installed hardware devices. The commands
>            /sbin/lspci and /sbin/lsusb will show a list of all recognized devices on their
>            respective buses, and this may indicate the presence of a wireless device.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2.2">
>              <xccdf:title xml:lang="en">Disable Wireless Through Software Configuration</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If it is impossible to remove the wireless hardware from the
>            device in question, disable as much of it as possible through software. The following
>            methods can disable software support for wireless networking, but note that these
>            methods do not prevent malicious software or careless users from re-activating the
>            devices.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2.2.1">
>                <xccdf:title xml:lang="en">Disable Wireless in BIOS</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Some laptops that include built-in wireless support offer the
>              ability to disable the device through the BIOS. This is system-specific; consult your
>              hardware manual or explore the BIOS setup during boot. 2A recent version of this file
>              can be found online at
>              http://lxr.linux.no/source/Documentation/networking/ip-sysctl.txt.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.2.2.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable Wireless in BIOS</xccdf:title>
>                  <xccdf:description>All wireless devices should be disabled in the BIOS.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3628-5</xccdf:ident>
>                  <xccdf:fixtext>(1) via BIOS menus</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20127"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2.2.2">
>                <xccdf:title xml:lang="en">Deactivate Wireless Interfaces</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Deactivating the wireless interfaces should prevent normal
>              usage of the wireless capability. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              First, identify the interfaces available with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifconfig -a <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Additionally,the following command may also be used to
>              determine whether wireless support ('extensions') is included for a particular
>              interface, though this may not always be a clear indicator: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iwconfig <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              After
>              identifying any wireless interfaces (which may have names like wlan0, ath0, wifi0, or
>              eth0), deactivate the interface with the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ifdown interface <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              These changes
>              will only last until the next reboot. To disable the interface for future boots,
>              remove the appropriate interface file from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.2.2.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Deactivate Wireless Interfaces</xccdf:title>
>                  <xccdf:description>All wireless interfaces should be disabled.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4276-2</xccdf:ident>
>                  <xccdf:fixtext>rm /etc/sysconfig/network-scripts/ifcfg-interface</xccdf:fixtext>
>                  <xccdf:fixtext>ifdown interface</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20128"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.2.2.3">
>                <xccdf:title xml:lang="en">Disable Wireless Drivers</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Removing the kernel drivers that provide support for wireless
>              Ethernet devices will prevent users from easily activating the devices. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To remove the wireless drivers from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm -r /lib/modules/kernelversion(s)/kernel/drivers/net/wireless <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This command must also be repeated every time the kernel is upgraded.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.2.2.3.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable Wireless Drivers</xccdf:title>
>                  <xccdf:description>Device drivers for wireless devices should be excluded from the kernel.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4170-7</xccdf:ident>
>                  <xccdf:fixtext>(1) via modprobe</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20129"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3">
>            <xccdf:title xml:lang="en">IPv6</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The system includes support for Internet Protocol version 6. A
>          major and often-mentioned improvement over IPv4 is its enormous increase in the number of
>          available addresses. Another important feature is its support for automatic configuration
>          of many network settings.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.1">
>              <xccdf:title xml:lang="en">Disable Support for IPv6 unless Needed</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Because the IPv6 networking code is relatively new and complex,
>            it is particularly important that it be disabled unless needed. Despite configuration
>            that suggests support for IPv6 has been disabled, link-local IPv6 address
>            autoconfiguration occurs even when only an IPv4 address is assigned. The only way to
>            effectively prevent execution of the IPv6 networking stack is to prevent the kernel from
>            loading the IPv6 kernel module.</xccdf:description>
>              <xccdf:reference>MO3:S0-C1-1</xccdf:reference>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.1.1">
>                <xccdf:title xml:lang="en">Disable Automatic Loading of IPv6 Kernel Module</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To prevent the IPv6 kernel module (ipv6) from being loaded,
>              add the following line to /etc/modprobe.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              install ipv6 /bin/true <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              When the kernel requests the ipv6 module, this line will direct the system to run the 
>              program /bin/true instead.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.1.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable Automatic Loading of IPv6 Kernel Module</xccdf:title>
>                  <xccdf:description>Automatic loading of the IPv6 kernel module should be disabled.</xccdf:description>
>                  <xccdf:reference>MO3:S0-C1-1 MO3:S0-C1-2</xccdf:reference>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3562-6</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20130"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.1.2">
>                <xccdf:title xml:lang="en">Disable Interface Usage of IPv6</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To prevent configuration of IPv6 for all interfaces, add or
>              correct the following lines in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              NETWORKING_IPV6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6INIT=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              For each network interface IFACE , add or correct the following lines in
>              /etc/sysconfig/network-scripts/ifcfg-IFACE as an additional prevention mechanism:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6INIT=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If it becomes necessary later to configure IPv6, only the interfaces
>              requiring it should be enabled.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.1.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable NETWORKING_IPV6 in /etc/sysconfig/network</xccdf:title>
>                  <xccdf:description>The default setting for IPv6 configuration should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3381-1</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20131"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.1.2.b" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable IPV6INIT in /etc/sysconfig/network</xccdf:title>
>                  <xccdf:description>Global IPv6 initialization should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3377-9</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20132"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.1.2.c" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-*</xccdf:title>
>                  <xccdf:description>IPv6 configuration should be disabled for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4296-0</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/sysconfig/network-scripts/ifcfg-*</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20133"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2">
>              <xccdf:title xml:lang="en">Configure IPv6 Settings if Necessary</xccdf:title>
>              <xccdf:description xml:lang="en">
>            A major feature of IPv6 is the extent to which systems
>            implementing it can automatically configure their networking devices using information
>            from the network. From a security perspective, manually configuring important
>            configuration information is always preferable to accepting it from the network in an
>            unauthenticated fashion.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2.1">
>                <xccdf:title xml:lang="en">Disable Automatic Configuration</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Disable the system's acceptance of router advertisements and
>              redirects by adding or correcting the following line in /etc/sysconfig/network (note
>              that this does not disable sending router solicitations): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6_AUTOCONF=no</xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.1.a" operator="equals" type="string">
>                  <xccdf:title>IPV6_AUTOCONF</xccdf:title>
>                  <xccdf:description xml:lang="en">Toggle global IPv6 autoconfiguration (only, if global forwarding is disabled)</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable global IPv6 autoconfiguration</xccdf:question>
>                  <xccdf:value>disabled</xccdf:value>
>                  <xccdf:value selector="enabled">enabled</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:match>enabled|disabled</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.1.b" operator="equals" type="string">
>                  <xccdf:title>net.ipv6.conf.default.accept_ra</xccdf:title>
>                  <xccdf:description xml:lang="en">accept default router advertisements</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 accepting default router advertisements</xccdf:question>
>                  <xccdf:value>no</xccdf:value>
>                  <xccdf:value selector="enabled">yes</xccdf:value>
>                  <xccdf:value selector="disabled">no</xccdf:value>
>                  <xccdf:match>yes|no</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.1.c" operator="equals" type="string">
>                  <xccdf:title>net.ipv6.conf.default.accept_redirects</xccdf:title>
>                  <xccdf:description xml:lang="en">Toggle ICMP Redirect Acceptance</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 default ICMP Redirect Acceptance</xccdf:question>
>                  <xccdf:value>disabled</xccdf:value>
>                  <xccdf:value selector="enabled">enabled</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:match>enabled|disabled</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.1.d" operator="equals" type="string">
>                  <xccdf:title>net.ipv6.conf.all.accept_redirects</xccdf:title>
>                  <xccdf:description xml:lang="en">Toggle ICMP Redirect Acceptance</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable all IPv6 ICMP Redirect Acceptance</xccdf:question>
>                  <xccdf:value>disabled</xccdf:value>
>                  <xccdf:value selector="enabled">enabled</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:match>enabled|disabled</xccdf:match>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable IPV6_AUTOCONF in /etc/sysconfig/network</xccdf:title>
>                  <xccdf:description>Accepting IPv6 router advertisements should be disabled for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4269-7</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20134" value-id="xccdf_cdf_value_var-2.5.3.2.1.a"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20134"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.1.b" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable accepting IPv6 router advertisements (net.ipv6.conf.default.accept_ra)</xccdf:title>
>                  <xccdf:description>The default setting for accepting IPv6 router advertisements should be: for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4291-1</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20135" value-id="xccdf_cdf_value_var-2.5.3.2.1.b"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20135"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.1.c" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable accepting redirects from IPv6 routers (net.ipv6.conf.default.accept_redirects)</xccdf:title>
>                  <xccdf:description>Accepting redirects from IPv6 routers should be: for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4313-3</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20136" value-id="xccdf_cdf_value_var-2.5.3.2.1.c"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20136"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.1.d" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable accepting redirects from IPv6 routers (net.ipv6.conf.all.accept_redirects)</xccdf:title>
>                  <xccdf:description>The default setting for accepting redirects from IPv6 routers should be: for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4198-8</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20137" value-id="xccdf_cdf_value_var-2.5.3.2.1.d"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20137"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2.2">
>                <xccdf:title xml:lang="en">Manually Assign Global IPv6 Address</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To manually assign an IP address for an interface IFACE, edit
>              the file /etc/sysconfig/network-scripts/ ifcfg-IFACE. Add or correct the following
>              line (substituting the correct IPv6 address): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6ADDR=2001:0DB8::ABCD/64 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Manually
>              assigning an IP address is preferable to accepting one from routers or from the
>              network otherwise. The example address here is an IPv6 address reserved for
>              documentation purposes, as defined by RFC3849.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2.3">
>                <xccdf:title xml:lang="en">Use Privacy Extensions for Address if Necessary</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To introduce randomness into the automatic generation of IPv6
>              addresses, add or correct the following line in
>              /etc/sysconfig/network-scripts/ifcfg-IFACE: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6_PRIVACY=rfc3041<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Automatically-generated IPv6 addresses are based on the underlying hardware (e.g.
>              Ethernet) address, and so it becomes possible to track a piece of hardware over its
>              lifetime using its traffic. If it is important for a system's IP address to not
>              trivially reveal its hardware address, this setting should be applied.</xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.3.a" operator="equals" type="string">
>                  <xccdf:title>IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-IFACE</xccdf:title>
>                  <xccdf:description xml:lang="en">Control IPv6 privacy.</xccdf:description>
>                  <xccdf:question xml:lang="en">Select control of IPv6 address creation privacy</xccdf:question>
>                  <xccdf:value>rfc3041</xccdf:value>
>                  <xccdf:value selector="disabled">disabled</xccdf:value>
>                  <xccdf:value selector="lightweight">lightweight</xccdf:value>
>                  <xccdf:value selector="rfc3041">rfc3041</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.3.a" selected="false" weight="10.0">
>                  <xccdf:title>Use Privacy Extensions for Address if Necessary</xccdf:title>
>                  <xccdf:description>IPv6 privacy extensions should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.3.a"/> for all interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3842-2</xccdf:ident>
>                  <xccdf:fixtext>(1) via IPV6_PRIVACY in
>                /etc/sysconfig/network-scripts/ifcfg-&lt;interface&gt;</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20138" value-id="xccdf_cdf_value_var-2.5.3.2.3.a"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20138"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2.4">
>                <xccdf:title xml:lang="en">Manually Assign IPv6 Router Address</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /etc/sysconfig/network-scripts/ifcfg-IFACE ,
>              and add or correct the following line (substituting your gateway IP as appropriate):<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              IPV6_DEFAULTGW=2001:0DB8::0001 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Router addresses should be manually set and not
>              accepted via any autoconfiguration or router advertisement.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.3.2.5">
>                <xccdf:title xml:lang="en">Limit Network-Transmitted Configuration</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following lines to /etc/sysctl.conf to limit the
>              configuration information requested from other systems, and accepted from the network:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.router_solicitations = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.accept_ra_rtr_pref = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.accept_ra_pinfo = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.accept_ra_defrtr = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.autoconf = 0<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.dad_transmits = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              net.ipv6.conf.default.max_addresses = 1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The router solicitations setting determines how many router solicitations are sent 
>              when bringing up the interface. If addresses are statically assigned, there is no need 
>              to send any solicitations. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The accept_ra_pinfo setting controls whether the system will
>              accept prefix info from the router. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The accept_ra_defrtr setting controls whether the
>              system will accept Hop Limit settings from a router advertisement. Setting it to 0
>              prevents a router from changing your default IPv6 Hop Limit for outgoing packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The autoconf setting controls whether router advertisements can cause the system to 
>              assign a global unicast address to an interface. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The dad_transmits setting determines how
>              many neighbor solicitations to send out per address (global and link-local) when
>              bringing up an interface to ensure the desired address is unique on the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The max_addresses setting determines how many global unicast IPv6 addresses can be
>              assigned to each interface. The default is 16, but it should be set to exactly the
>              number of statically configured global addresses required.</xccdf:description>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.a" operator="equals" type="number">
>                  <xccdf:title> net.ipv6.conf.default.router_solicitations</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                Setting determines how many router solicitations are 
>                sent when bringing up the interface. If addresses are statically assigned, there 
>                is no need to send any solicitation</xccdf:description>
>                  <xccdf:question xml:lang="en">Select how many router solicitations are sent when bringing up the interface</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:value selector="1">1</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.b" operator="equals" type="boolean">
>                  <xccdf:title>Accept Router Preference in Router Advertisements?</xccdf:title>
>                  <xccdf:description xml:lang="en">Control IPv6 privacy.</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 router advertisements</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="enabled">1</xccdf:value>
>                  <xccdf:value selector="disabled">0</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.c" operator="equals" type="boolean">
>                  <xccdf:title>net.ipv6.conf.default.accept_ra_pinfo</xccdf:title>
>                  <xccdf:description xml:lang="en">Setting controls whether the system will accept preï¬x info from the router</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 acceptance of router prefix info</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="enabled">1</xccdf:value>
>                  <xccdf:value selector="disabled">0</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.d" operator="equals" type="boolean">
>                  <xccdf:title>net.ipv6.conf.default.accept_ra_defrtr</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                Setting controls whether the system will accept Hop Limit 
>                settings from a router advertisement. Setting it to 0 prevents a router from 
>                changing your default IPv6 Hop Limit for outgoing packets.</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 acceptance of Hop limits from router advertisement</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="enabled">1</xccdf:value>
>                  <xccdf:value selector="disabled">0</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.e" operator="equals" type="boolean">
>                  <xccdf:title>net.ipv6.conf.default.autoconf</xccdf:title>
>                  <xccdf:description>Setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.</xccdf:description>
>                  <xccdf:question xml:lang="en">Enable/Disable IPv6 acceptance of global unicast address from router advertisement</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="enabled">1</xccdf:value>
>                  <xccdf:value selector="disabled">0</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.f" operator="equals" type="number">
>                  <xccdf:title>net.ipv6.conf.default.dad_transmits</xccdf:title>
>                  <xccdf:description xml:lang="en">
>                Setting determines how many neighbor solicitations to 
>                send out per address (global and link-local) when bringing up an interface to 
>                ensure the desired address is unique on the network</xccdf:description>
>                  <xccdf:question xml:lang="en">Select how many neighbor solicitations send out per address to ensure uniqueness of desired address for IPv6</xccdf:question>
>                  <xccdf:value>0</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:value selector="1">1</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Value id="xccdf_cdf_value_var-2.5.3.2.5.g" operator="equals" type="number">
>                  <xccdf:title>net.ipv6.conf.default.max_addresses</xccdf:title>
>                  <xccdf:description>
>                Setting determines how many global unicast IPv6 addresses can be 
>                assigned to each interface. The default is 16, but it should be set to exactly 
>                the number of statically conï¬gured global addresses required.</xccdf:description>
>                  <xccdf:question xml:lang="en">Select how many global unicast IPv6 addresses can be assigned to each interface</xccdf:question>
>                  <xccdf:value>16</xccdf:value>
>                  <xccdf:value selector="0">0</xccdf:value>
>                  <xccdf:value selector="1">1</xccdf:value>
>                  <xccdf:value selector="2">2</xccdf:value>
>                  <xccdf:value selector="4">4</xccdf:value>
>                  <xccdf:value selector="8">8</xccdf:value>
>                  <xccdf:value selector="16">16</xccdf:value>
>                </xccdf:Value>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.a" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.router_solicitations</xccdf:title>
>                  <xccdf:description>The default number of IPv6 router solicitations for network interfaces to send should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.a"/></xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4159-0</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.router_solicitations</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20139" value-id="xccdf_cdf_value_var-2.5.3.2.5.a"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20139"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.b" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_rtr_pref</xccdf:title>
>                  <xccdf:description>The default setting for accepting router preference via IPv6 router advertisement should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.b"/> for interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4221-8</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20140" value-id="xccdf_cdf_value_var-2.5.3.2.5.b"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20140"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.c" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_pinfo</xccdf:title>
>                  <xccdf:description>The default setting for accepting prefix information via IPv6 router advertisement should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.c"/> for interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4058-4</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.accept_ra_pinfo</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20141" value-id="xccdf_cdf_value_var-2.5.3.2.5.c"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20141"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.d" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.accept_ra_defrtr</xccdf:title>
>                  <xccdf:description>The default setting for accepting a default router via IPv6 router advertisement should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.d"/> for interfaces.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4128-5</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.accept_ra_defrtr</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20142" value-id="xccdf_cdf_value_var-2.5.3.2.5.d"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20142"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.e" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.autoconf</xccdf:title>
>                  <xccdf:description>The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.e"/>.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4287-9</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.autoconf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20143" value-id="xccdf_cdf_value_var-2.5.3.2.5.e"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20143"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.f" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.dad_transmits</xccdf:title>
>                  <xccdf:description>The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.f"/>.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3895-0</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.dad_transmits</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20144" value-id="xccdf_cdf_value_var-2.5.3.2.5.f"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20144"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.3.2.5.g" selected="false" weight="10.0">
>                  <xccdf:title>Limit Network-Transmitted Configuration via net.ipv6.conf.default.max_addresses</xccdf:title>
>                  <xccdf:description>The default number of global unicast IPv6 addresses allowed per network interface should be: <xccdf:sub idref="xccdf_cdf_value_var-2.5.3.2.5.g"/>.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4137-6</xccdf:ident>
>                  <xccdf:fixtext>(1) via sysctl - net.ipv6.conf.default.max_addresses</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-export export-name="oval:org.open-scap.f14:var:20145" value-id="xccdf_cdf_value_var-2.5.3.2.5.g"/>
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20145"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4">
>            <xccdf:title xml:lang="en">TCP Wrapper</xccdf:title>
>            <xccdf:description xml:lang="en">
>          TCP Wrapper is a library which provides simple access control and
>          standardized logging for supported applications which accept connections over a network.
>          Historically, TCP Wrapper was used to support inetd services. Now that inetd is deprecated
>          (see Section 3.2.1), TCP Wrapper supports only services which were built to make use of
>          the libwrap library. To determine whether a given executable daemon /path/to/daemon
>          supports TCP Wrapper, check the documentation, or run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ ldd /path/to/daemon | grep libwrap.so <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If this command returns any output, then the daemon probably supports TCP Wrapper. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          An alternative to TCP Wrapper support is packet filtering using iptables. Note
>          that iptables works at the network level, while TCP Wrapper works at the application
>          level. This means that iptables filtering is more efficient and more resistant to flaws in
>          the software being protected, but TCP Wrapper provides support for logging, banners, and
>          other application-level tricks which iptables cannot provide.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4.1">
>              <xccdf:title xml:lang="en">How TCP Wrapper Protects Services</xccdf:title>
>              <xccdf:description xml:lang="en">
>            TCP Wrapper provides access control for the system's network
>            services using two configuration files. When a connection is attempted: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The file
>                /etc/hosts.allow is searched for a rule matching the connection. If one is found, the
>                connection is allowed. </xhtml:li><xhtml:li>Otherwise, the file /etc/hosts.deny is searched for a rule
>                matching the connection. If one is found, the connection is rejected. </xhtml:li><xhtml:li>If no matching
>                rules are found in either file, then the connection is allowed. By default, TCP Wrapper
>                does not block access to any services. </xhtml:li></xhtml:ol>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In the simplest case, each rule in /etc/hosts.allow and /etc/hosts.deny takes the form: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            daemon : client <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where daemon is the
>            name of the server process for which the connection is destined, and client is the
>            partial or full hostname or IP address of the client. It is valid for daemon and client
>            to contain one item, a comma-separated list of items, or a special keyword like ALL,
>            which matches any service or client. (See the hosts access(5) manpage for a list of
>            other keywords.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: Partial hostnames start at the root domain and are delimited by
>            the . character. So the client machine host03.dev.example.com, with IP address 10.7.2.3,
>            could be matched by any of the specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            .example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            .dev.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            10.7.2.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4.2">
>              <xccdf:title xml:lang="en">Reject All Connections From Other Hosts if Appropriate</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Restrict all connections to non-public services to localhost
>            only. Suppose pubsrv1 and pubsrv2 are the names of daemons which must be accessed
>            remotely. Configure TCP Wrapper as follows. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/hosts.allow. Add the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            pubsrv1 ,pubsrv2 : ALL<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>            ALL: localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ALL: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These rules deny connections to all TCP Wrapper enabled services from any
>            host other than localhost, but allow connections from anywhere to the services which
>            must be publicly accessible. (If no public services exist, the first line in
>            /etc/hosts.allow may be omitted.)</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4.3">
>              <xccdf:title xml:lang="en">Allow Connections Only From Hosts in This Domain if Appropriate</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For each daemon, domainsrv , which only needs to be contacted
>            from inside the local domain, example.com , configure TCP Wrapper to deny remote
>            connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/hosts.allow. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            domainsrv : .example.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/hosts.deny. Add the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            domainsrv : ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            There are many possible
>            examples of services which need to communicate only within the local domain. If a
>            machine is a local compute server, it may be necessary for users to connect via SSH from
>            their desktop workstations, but not from outside the domain. In that case, you should
>            protect the daemon sshd using this method. As another example, RPC-based services such
>            as NFS might be enabled within the domain only, in which case the daemon portmap should
>            be protected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          </xccdf:description>
>              <xccdf:warning xml:lang="en">Note: This example protects only the service domainsrv . No filtering is
>            done on other services unless a line is entered into /etc/hosts.deny which refers to
>            those services by name, or which restricts the special service ALL.</xccdf:warning>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4.4">
>              <xccdf:title xml:lang="en">Monitor Syslog for Relevant Connections and Failures</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Ensure that the following line exists in /etc/syslog.conf.
>            (This is the default, so it is likely to be correct if the configuration has not been
>            modified): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            authpriv.* /var/log/secure <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Configure logwatch or other log monitoring tools
>            to periodically summarize failed connections reported by TCP Wrapper at the facility
>            authpriv.info. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, TCP Wrapper audits all rejected connections at the facility
>            authpriv, level info. In the log file, TCP Wrapper rejections will contain the
>            substring: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            daemon [pid ]: refused connect from ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These lines can be used to detect
>            malicious scans, and to debug failures resulting from an incorrect TCP Wrapper
>            configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If appropriate, it is possible to change the syslog facility and level
>            used by a given TCP Wrapper rule by adding the severity option to each desired
>            configuration line in /etc/hosts.deny: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            daemon : client : severity facility .level <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, successful connections are not logged by TCP Wrapper. See Section 2.6 for 
>            more information about system auditing.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.4.5">
>              <xccdf:title xml:lang="en">Further Resources</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For more information about TCP Wrapper, see the tcpd(8) and
>            hosts access(5) manpages and the documentation directory /usr/share/doc/tcp
>            wrappers-version. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Some information may be available from the Tools section of the
>            author's website, http://www.porcupine.org, and from the RHEL4 Reference Guide [6].</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5">
>            <xccdf:title xml:lang="en">Iptables and Ip6tables</xccdf:title>
>            <xccdf:description xml:lang="en">
>          A host-based firewall called Netfilter is included as part of the
>          Linux kernel distributed with the system. It is activated by default. This firewall is
>          controlled by the program iptables, and the entire capability is frequently referred to by
>          this name. An analogous program called ip6tables handles filtering for IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Unlike TCP
>          Wrappers, which depends on the network server program to support and respect the rules
>          written, Netfilter filtering occurs at the kernel level, before a program can even process
>          the data from the network packet. As such, any program on the system is affected by the
>          rules written. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          This section provides basic information about strengthening the iptables
>          and ip6tables configurations included with the system. For more complete information that
>          may allow the construction of a sophisticated ruleset tailored to your environment, please
>          consult the references at the end of this section.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.1">
>              <xccdf:title xml:lang="en">Inspect and Activate Default Rules</xccdf:title>
>              <xccdf:description xml:lang="en">
>            View the currently-enforced iptables rules by running the
>            command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># iptables -nL --line-numbers <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The command is analogous for the ip6tables program. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the firewall does not appear to be active (i.e., no rules appear), activate
>            it and ensure that it starts at boot by issuing the following commands (and analogously
>            for ip6tables): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service iptables restart <xhtml:br/>
>            # chkconfig iptables on <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default iptables rules are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Chain INPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Chain FORWARD (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Chain OUTPUT (policy ACCEPT) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Chain RH-Firewall-1-INPUT (2 references) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            num target prot opt source destination <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The ip6tables default rules are similar, with
>            its rules 2 and 10 reflecting protocol naming and addressing differences. Instead of
>            rule 8, however, ip6tables includes two rules that accept all incoming udp and tcp
>            packets with a particular destination port range. This is because the current Netfilter
>            implementation for IPv6 lacks reliable connection-tracking functionality.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.5.1.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Verify ip6tables is enabled</xccdf:title>
>                <xccdf:description>The ip6tables service should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4167-3</xccdf:ident>
>                <xccdf:fix>chkconfig ip6tables on</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20146"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.5.1.b" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Verify iptables is enabled</xccdf:title>
>                <xccdf:description>The iptables service should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4189-7</xccdf:ident>
>                <xccdf:fix>chkconfig iptables on</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20147"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.2">
>              <xccdf:title xml:lang="en">Understand the Default Ruleset</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Understanding and creating firewall rules can be a challenging
>            activity, filled with corner cases and difficult-todebug problems. Because of this,
>            administrators should develop a thorough understanding of the default ruleset before
>            carefully modifying it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default ruleset is divided into four sections, each of which
>            is called a chain: INPUT, FORWARD, OUTPUT, and RH-Firewall-1-INPUT. INPUT, OUTPUT, and
>            FORWARD are built-in chains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The INPUT chain is activated on packets destined for
>                (i.e., addressed to) the system. </xhtml:li><xhtml:li>The OUTPUT chain is activated on packets which are
>                originating from the system. </xhtml:li><xhtml:li>The FORWARD chain is activated for packets that the
>                system will process and send through another interface, if so configured. </xhtml:li><xhtml:li>The
>                RH-Firewall-1-INPUT chain is a custom (or user-defined) chain, which is used by the
>                INPUT and FORWARD chains. </xhtml:li></xhtml:ul>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A packet starts at the first rule in the appropriate chain and
>            proceeds until it matches a rule. If a match occurs, then control will jump to the
>            specified target. The default ruleset uses the built-in targets ACCEPT and REJECT, and
>            also the user-defined target/chain RH-Firewall-1-INPUT. Jumping to the target ACCEPT
>            means to allow the packet through, while REJECT means to drop the packet and send an
>            error message to the sending host. A related target called DROP means to drop the packet
>            on the floor without even sending an error message. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default policy for all of the
>            built-in chains (shown after their names in the rule output above) is set to ACCEPT.
>            This means that if no rules in the chain match the packets, they are allowed through.
>            Because no rules at all are written for the OUTPUT chain, this means that iptables does
>            not stop any packets originating from the system. The INPUT and FORWARD chains jump to
>            the user-defined target RH-Firewall-1-INPUT for all packets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            RH-Firewall-1-INPUT tries
>            to match, in order, the following rules for both iptables and ip6tables: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Rule 1
>                appears to accept all packets. However, this appears true only because the rules are not
>                presented in verbose mode. Executing the command <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># iptables -vnL --line-numbers <xhtml:br/></xhtml:code>
>                <xhtml:br/>
>                reveals
>                that this rule applies only to the loopback (lo) interface (see column in), while all
>                other rules apply to all interfaces. Thus, packets not coming from the loopback
>                interface do not match and proceed to the next rule. </xhtml:li><xhtml:li>Rule 2 explicitly allows all icmp
>                packet types; iptables uses the code 255 to mean all icmp types. </xhtml:li><xhtml:li>Rule 3 explicitly
>                allows all esp packets; these are packets which contain IPsec ESP headers.</xhtml:li><xhtml:li>Rule 4
>                explicitly allows all ah packets; these are packets which contain an IPsec
>                authentication header SPI. </xhtml:li><xhtml:li>Rule 5 allows inbound communication on udp port 5353
>                (mDNS), which the avahi daemon uses. </xhtml:li><xhtml:li>Rules 6 and 7 allows inbound communication on
>                both tcp and udp port 631, which the cups daemon uses. </xhtml:li><xhtml:li>Rule 8, in the iptables rules,
>                allows inbound packets that are part of a session initiated by the system. In ip6tables,
>                rules 8 and 9 allow any inbound packets with a destination port address between 32768
>                and 61000. </xhtml:li><xhtml:li>Rule 9 (10, for ip6tables) allows inbound connections in tcp port 22, which
>                is the SSH protocol. </xhtml:li><xhtml:li>Rule 10 (11, for ip6tables) rejects all other packets and sends
>                an error message to the sender. Because this is the last rule and matches any packet, it
>                effectively prevents any packet from reaching the chain's default ACCEPT target.
>                Preventing the acceptance of any packet that is not explicitly allowed is proper design
>                for a firewall.</xhtml:li></xhtml:ul></xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3">
>              <xccdf:title xml:lang="en">Strengthen the Default Ruleset</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default rules can be strengthened. The system scripts that
>            activate the firewall rules expect them to be defined in the configuration files
>            iptables and ip6tables in the directory /etc/sysconfig. Many of the lines in these files
>            are similar to the command line arguments that would be provided to the programs
>            /sbin/iptables or /sbin/ip6tables â but some are quite different. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The following recommendations describe how to strengthen the default
>            ruleset configuration file. An alternative to editing this configuration file is to
>            create a shell script that makes calls to the iptables program to load in rules, and
>            then invokes service iptables save to write those loaded rules to
>            /etc/sysconfig/iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The following alterations can be made directly to
>            /etc/sysconfig/iptables and /etc/sysconfig/ip6tables. Instructions apply to both unless
>            otherwise noted. Language and address conventions for regular iptables are used
>            throughout this section; configuration for ip6tables will be either analogous or
>            explicitly covered.</xccdf:description>
>              <xccdf:warning xml:lang="en">The program
>            system-config-securitylevel allows additional services to penetrate the default firewall
>            rules and automatically adjusts /etc/ sysconfig/ iptables . This program is only useful
>            if the default ruleset meets your security requirements. Otherwise, this program should
>            not be used to make changes to the firewall configuration because it re-writes the saved
>            configuration file. </xccdf:warning>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3.1">
>                <xccdf:title xml:lang="en">Change the Default Policies</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Change the default policy to DROP (from ACCEPT) for the INPUT
>              and FORWARD built-in chains: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              *filter <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              :INPUT DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              :FORWARD DROP [0:0] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Changing
>              the default policy in this way implements proper design for a firewall, i.e. any
>              packets which are not explicitly permitted should not be accepted.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.5.3.1.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain</xccdf:title>
>                  <xccdf:description>Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain.</xccdf:description>
>                  <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201474"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.5.3.1.b" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain</xccdf:title>
>                  <xccdf:description>Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain.</xccdf:description>
>                  <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201475"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3.2">
>                <xccdf:title xml:lang="en">Restrict ICMP Message Types</xccdf:title>
>                <xccdf:description xml:lang="en">
>              In /etc/sysconfig/iptables, the accepted ICMP messages types
>              can be restricted. To accept only ICMP echo reply, destination unreachable, and time
>              exceeded messages, remove the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and insert the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To allow the system to respond to pings, also insert the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Ping responses can also be limited to certain
>              networks or hosts by using the -s option in the previous rule. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Because IPv6 depends so
>              heavily on ICMPv6, it is preferable to deny the ICMPv6 packets you know you don't need
>              (e.g. ping requests) in /etc/sysconfig/ip6tables, while letting everything else
>              through: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type echo-request -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If you
>              are going to statically configure the machine's address, it should ignore Router
>              Advertisements which could add another IPv6 address to the interface or alter
>              important network settings: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Restricting other ICMPv6 message types in
>              /etc/sysconfig/ip6tables is not recommended because the operation of IPv6 depends
>              heavily on ICMPv6. Thus, more care must be taken when blocking ICMPv6 types.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3.3">
>                <xccdf:title xml:lang="en">Remove IPsec Rules</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If the system will not process IPsec traffic, then remove the
>              following rules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p 50 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -p 51 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3.4">
>                <xccdf:title xml:lang="en">Log and Drop Packets with Suspicious Source Addresses</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Packets with non-routable source addresses should be
>              rejected, as they may indicate spoofing. Because the modified policy will reject
>              non-matching packets, you only need to add these rules if you are interested in also
>              logging these spoofing or suspicious attempts before they are dropped. If you do
>              choose to log various suspicious traffic, add identical rules with a target of DROP
>              after each LOG. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To log and then drop these IPv4 packets, insert the following rules in
>              /etc/sysconfig/iptables (excepting any that are intentionally used): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Similarly, you might wish to log packets containing some IPv6
>              reserved addresses if they are not expected on your network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If you are not expecting to see site-local multicast or auto-tunneled traffic, you 
>              can log those: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If you wish to block multicasts to all
>              link-local nodes (e.g. if you are not using router autoconfiguration and do not plan
>              to have any services that multicast to the entire local network), you can block the
>              link-local all-nodes multicast address (before accepting incoming ICMPv6): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              However, if you're
>              going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
>              then consider logging the non-routable IPv4-compatible addresses: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If you are not expecting to see any IPv4 (or IPv4-compatible) traffic
>              on your network, consider logging it before it gets dropped: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The following rule will log all traffic
>              originating from a site-local address, which is deprecated address space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.3.5">
>                <xccdf:title xml:lang="en">Log and Drop All Other Packets</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To log before dropping all packets that are not explicitly
>              accepted by previous rules, change the final lines from <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              to <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -j LOG <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -j DROP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              COMMIT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The rule to log all dropped packets must be used
>              with care. Chatty but otherwise non-malicious network protocols (e.g. NetBIOS) may
>              result in voluminous logs; insertion of earlier rules to explicitly drop their packets
>              without logging may be appropriate.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.4">
>              <xccdf:title xml:lang="en">Further Strengthening</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Further strengthening, particularly as a result of
>            customization to a particular environment, is possible for the iptables rules. Consider
>            the following options, though their practicality depends on the network environment and
>            usage scenario: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Restrict outgoing traffic. As shown above, the OUTPUT chain's default
>                policy can be changed to DROP, and rules can be written to specifically allow only
>                certain types of outbound traffic. Such a policy could prevent casual usage of insecure
>                protocols such as ftp and telnet, or even disrupt spyware. However, it would still not
>                prevent a sophisticated user or program from using a proxy to circumvent the intended
>                effects, and many client programs even try to automatically tunnel through port 80 to
>                avoid such restrictions.</xhtml:li><xhtml:li>SYN flood protection. SYN flood protection can be provided by
>                iptables, but might run into limiting issues for servers. For example, the iplimit match
>                can be used to limit simultaneous connections from a given host or class. Similarly, the
>                recent match allows the firewall to deny additional connections from any host within a
>                given period of time (e.g. more than 3 âstate NEW connections on port 22 within a minute
>                to prevent dictionary login attacks). <xhtml:br/>
>                <xhtml:br/>
>                A more precise option for DoS protection is using
>                TCP SYN cookies. (See Section 2.5.1.2 for more information.)</xhtml:li></xhtml:ul></xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.5.5">
>              <xccdf:title xml:lang="en">Further Resources</xccdf:title>
>              <xccdf:description xml:lang="en">
>            More complex, restrictive, and powerful rulesets can be
>            created, but this requires careful customization that relies on knowledge of the
>            particular environment. The following resources provide more detailed information: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The iptables(8) man page </xhtml:li><xhtml:li>The Netfilter Project's documentation at http://www.netfilter.org</xhtml:li><xhtml:li>The Red Hat Enterprise Linux Reference Guide</xhtml:li></xhtml:ul></xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6">
>            <xccdf:title xml:lang="en">Secure Sockets Layer Support</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The Secure Sockets Layer (SSL) protocol provides encrypted and
>          authenticated network communications, and many network services include support for it.
>          Using SSL is recommended, especially to avoid any plaintext transmission of sensitive
>          data, even over a local network. The SSL implementation included with the system is called
>          OpenSSL. Recent implementations of SSL may also be referred to as Transport Layer Security
>          (TLS). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          SSL uses public key cryptography to provide authentication and encryption. Public
>          key cryptography involves two keys, one called the public key and the other called the
>          private key. These keys are mathematically related such that data encrypted with one key
>          can only be decrypted by the other, and vice versa. As their names suggest, public keys
>          can be distributed to anyone while a private key must remain known only to its owner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          SSL uses certificates, which are files that hold cryptographic data: a public key, and a
>          signature of that public key. In SSL authentication, a server presents a client with its
>          certificate as a means of demonstrating that it is who it claims it is. If everything goes
>          correctly, the client can verify the server's certificate by determining that the
>          signature inside the certificate could only have been generated by a third party whom the
>          client trusts. This third party is called a Certificate Authority (CA). Each client system
>          should also have certificates from trusted CAs, and the client uses these CA certificates
>          to verify the authenticity of the server's certificate. After authenticating a server
>          using its certificate and a CA certificate, SSL provides encryption by using the server
>          certificate to securely negotiate a shared secret key. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If your server must communicate
>          using SSL with systems that might not be able to securely accept a new CA certificate
>          prior to any SSL communication, then paying an established CA (whose certificates your
>          clients already have) to sign your server certificates is recommended. The steps for doing
>          this vary by vendor. Once the signed certificates have been obtained, configuration of the
>          services is the same whether they were purchased from a vendor or signed by your own CA.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          For setting up an internal network and encrypting local traffic, creating your own CA to
>          sign SSL certificates can be appropriate. The major steps in this process are: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Create a CA to sign certificates </xhtml:li><xhtml:li>Create SSL certificates for servers using that CA</xhtml:li><xhtml:li>Enableclient support by distributing the CA's certificate</xhtml:li></xhtml:ol></xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.1">
>              <xccdf:title xml:lang="en">Create a CA to Sign Certificates</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The following instructions apply to OpenSSL since it is
>            included with the system, but creating a CA is possible with any standards-compliant SSL
>            toolkit. The security of certificates depends on the security of the CA that signed
>            them, so performing these steps on a secure machine is critical. The system used as a CA
>            should be physically secure and not connected to any network. It should receive any
>            certificate signing requests (CSRs) via removable media and output certificates onto
>            removable media. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The script /etc/pki/tls/misc/CA is included to assist in the process of
>            setting up a CA. This script uses many settings in /etc/pki/tls/openssl.cnf. The
>            settings in this file can be changed to suit your needs and allow easier selection of
>            default settings, particularly in the [req distinguished name] section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To create the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/misc <xhtml:br/>
>            # ./CA -newca <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>When prompted, press enter to create a new CA key with the default name cakey.pem.</xhtml:li><xhtml:li>When prompted, enter a password that will protect the private key, then enter the same password 
>                again to verify it.</xhtml:li><xhtml:li>At the prompts, fill out as much of the CA information as is relevant for your site. You must specify 
>                a common name, or generation of the CA certificate will fail. </xhtml:li><xhtml:li>Next, you will be prompted for the password, so that the script can re-open the private key in order 
>                to write the certificate.</xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This step performs the following actions:
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>creates the directory
>                /etc/pki/CA (by default), which contains files necessary for the operation of a 
>                certificate authority. These are:</xhtml:li><xhtml:ul><xhtml:li>serial, which contains the current serial number for certificates signed by the CA</xhtml:li><xhtml:li>index.txt, which is a text database file that contains information about certificates signed</xhtml:li><xhtml:li>crl, which is a directory for holding revoked certificates</xhtml:li><xhtml:li>private, a directory which stores the CA's private key</xhtml:li></xhtml:ul><xhtml:li>creates a public-private key pair for the CA in the file /etc/pki/CA/private/cakey.pem. The
>                private key must be kept private in order to ensure the security of the certificates the CA will later sign.</xhtml:li><xhtml:li>signs the public key (using the corresponding private key, in a process called self-signing) to create the CA 
>                certificate, which is then stored in /etc/pki/CA/cacert.pem. </xhtml:li><xhtml:li/></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            When the CA later signs a server certificate using its private
>            key, it means that it is vouching for the authenticity of that server. A client can then
>            use the CA's certificate (which contains its public key) to verify the authenticity of
>            the server certificate. To accomplish this, it is necessary to distribute the CA
>            certificate to any clients as covered in Section 2.5.6.3.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.2">
>              <xccdf:title xml:lang="en">Create SSL Certificates for Servers</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Creating an SSL certificate for a server involves the following steps: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>A public-private key pair for the server must be generated.</xhtml:li><xhtml:li>A certificate signing request (CSR) must be created from the key pair.</xhtml:li><xhtml:li>The CSR must be signed by a
>                certificate authority (CA) to create the server certificate. If a CA has been set up as
>                described in Section 2.5.6.1, it can sign the CSR.</xhtml:li><xhtml:li>The server certificate and keys must be installed on the server. </xhtml:li></xhtml:ol>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Instructions on how to generate and sign SSL certificates are provided for the following 
>            common services:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Mail server, in Section 3.11.4.6.</xhtml:li><xhtml:li>Dovecot, in Section 3.17.2.2. </xhtml:li><xhtml:li>Apache, in Section 3.16.4.1.</xhtml:li></xhtml:ul></xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.3">
>              <xccdf:title xml:lang="en">Enable Client Support</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The system ships with certificates from well-known commercial
>            CAs. If your server certificates were signed by one of these established CAs, then this
>            step is not necessary since the clients should include the CA certificate already. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If your servers use certificates signed by your own CA, some user applications will warn
>            that the server's certificate cannot be verified because the CA is not recognized. Other
>            applications may simply fail to accept the certificate and refuse to operate, or
>            continue operating without ever having properly verified the server certificate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To avoid this warning, and properly authenticate the servers, your CA certificate must be
>            exported to every application on every client system that will be connecting to an
>            SSL-enabled server.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.3.1">
>                <xccdf:title xml:lang="en">Adding a Trusted CA for Firefox</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Firefox needs to have a certificate from the CA that signed
>              the web server's certificate, so that it can authenticate the web server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To import a new CA certificate into Firefox 1.5:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>              <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Launch Firefox and choose Preferences from the Edit menu. </xhtml:li><xhtml:li>Click the Advanced button.</xhtml:li><xhtml:li>Select the Security pane.</xhtml:li><xhtml:li>Click the View Certificates button.</xhtml:li><xhtml:li>Click the Authorities tab. </xhtml:li><xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li><xhtml:li>Navigate to the CA certificate and import it.</xhtml:li></xhtml:ol></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.3.2">
>                <xccdf:title xml:lang="en">Adding a Trusted CA for Thunderbird</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Thunderbird needs to have a certificate from the CA that
>              signed the mail server's certificates, so that it can authenticate the mail server(s).<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To import a new CA certificate into Thunderbird 2: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Launch Thunderbird and choose Account Settings from the Edit menu.</xhtml:li><xhtml:li>Click the Advanced button.</xhtml:li><xhtml:li>Select the Certificates tab</xhtml:li><xhtml:li>Click the View Certificates button.</xhtml:li><xhtml:li>Select the Authorities tab.</xhtml:li><xhtml:li>Click the Import button at the bottom of the screen.</xhtml:li><xhtml:li>Navigate to the CA certiï¬cate and import it. Determine whether the CA should 
>                  be used to identify web sites, e-mail users, and software developers and trust it for 
>                  each accordingly.</xhtml:li></xhtml:ol></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.3.3">
>                <xccdf:title xml:lang="en">Adding a Trusted CA for Evolution</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The Evolution e-mail client needs to have a certificate from
>              the CA that signed the mail server's certificates, so that it can authenticate the
>              mail server(s). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To import a new CA certificate into Evolution: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Launch Evolution and choose Preferences from the Edit menu.</xhtml:li><xhtml:li>Select Certificates from the icon list on the left.</xhtml:li><xhtml:li>Select the Authorities tab.</xhtml:li><xhtml:li>Click the Import button.</xhtml:li><xhtml:li/><xhtml:li/><xhtml:li>Navigate to the CA certificate and import it.</xhtml:li></xhtml:ol></xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.6.4">
>              <xccdf:title xml:lang="en">Further Resources</xccdf:title>
>              <xccdf:description xml:lang="en">
>                <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml">
>                  <xhtml:li>The OpenSSL Project home page at http://www.openssl.org</xhtml:li>
>                  <xhtml:li>The openssl(1) man page</xhtml:li>
>                  <xhtml:li>Jeremy Mates's how-to: http://sial.org/howto/openssl</xhtml:li>
>                </xhtml:ul>
>              </xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.7">
>            <xccdf:title xml:lang="en">Uncommon Network Protocols</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The system includes support for several network protocols which are not commonly used. Although security vul-
>          nerabilities in kernel networking code are not frequently discovered, the consequences can be dramatic. Ensuring
>          uncommon network protocols are disabled reduces the systemâs risk to attacks targeted at its implementation of
>          those protocols.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.7.1">
>              <xccdf:title xml:lang="en">Disable Support for DCCP</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent the DCCP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install dccp /bin/true<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Datagram Congestion Control Protocol (DCCP) is a relatively new transport layer protocol, designed to
>            support streaming media and telephony.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.7.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Support for DCCP</xccdf:title>
>                <xccdf:description>Support for DCCP should be disabled.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201476"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.7.2">
>              <xccdf:title xml:lang="en">Disable Support for SCTP</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent the SCTP kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install sctp /bin/true<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Stream Control Transmission Protocol (SCTP) is a transport layer protocol, designed to support the idea
>            of message-oriented communication, with several streams of messages within one connection.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.7.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Support for SCTP</xccdf:title>
>                <xccdf:description>Support for SCTP should be disabled.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201477"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.7.3">
>              <xccdf:title xml:lang="en">Disable Support for RDS</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent the RDS kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide reliable high-
>            bandwidth, low-latency communications between nodes in a cluster.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.7.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Support for RDS</xccdf:title>
>                <xccdf:description>Support for RDS should be disabled.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201478"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.5.7.4">
>              <xccdf:title xml:lang="en">Disable Support for TIPC</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent the TIPC kernel module from being loaded, add the following line to /etc/modprobe.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">install rds /bin/true<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communications between
>            nodes in a cluster..</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.5.7.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Support for TIPC</xccdf:title>
>                <xccdf:description>Support for TIPC should be disabled.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201479"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6">
>          <xccdf:title xml:lang="en">Logging and Auditing</xccdf:title>
>          <xccdf:description xml:lang="en">
>        Successful local or network attacks on systems do not necessarily
>        leave clear evidence of what happened. It is necessary to build a configuration in advance
>        that collects this evidence, both in order to determine that something anomalous has
>        occurred, and in order to respond appropriately. In addition, a well-configured logging and
>        audit infrastructure will show evidence of any misconfiguration which might leave the system
>        vulnerable to attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Logging and auditing take different approaches to collecting data. A
>        logging infrastructure provides a framework for individual programs running on the system to
>        report whatever events are considered interesting: the sshd program may report each
>        successful or failed login attempt, while the sendmail program may report each time it sends
>        an e-mail on behalf of a local or remote user. An auditing infrastructure, on the other
>        hand, reports each instance of certain low-level events, such as entry to the setuid system
>        call, regardless of which program caused the event to occur. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Auditing has the advantage of
>        being more comprehensive, but the disadvantage of reporting a large amount of information,
>        most of which is uninteresting. Logging (particularly using a standard framework like
>        syslog) has the advantage of being compatible with a wide variety of client applications,
>        and of reporting only information considered important by each application, but the
>        disadvantage that the information reported is not consistent between applications. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        A robust
>        infrastructure will perform both logging and auditing, and will use configurable automated
>        methods of summarizing the reported data, so that system administrators can remove or
>        compress reports of events known to be uninteresting in favor of alert monitoring for events
>        known to be interesting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        This section discusses how to configure logging, log monitoring,
>        and auditing, using tools included with RHEL5. It is recommended that syslog be used for
>        logging, with logwatch providing summarization, and that auditd be used for auditing, with
>        aureport providing summarization.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1">
>            <xccdf:title xml:lang="en">Configure Syslog</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Syslog has been the default Unix logging mechanism for many years. This section
>          discusses how to configure syslog for best effect, and how to use tools provided with the
>          system to maintain and monitor your logs.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Configure Rsyslog</xccdf:title>
>              <xccdf:description>The rsyslog service should be enabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3679-8</xccdf:ident>
>              <xccdf:fix>chkconfig rsyslog on</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20148"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.1">
>              <xccdf:title xml:lang="en">Ensure All Important Messages are Captured</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:span xmlns:xhtml="http://www.w3.org/1999/xhtml">Edit the file /etc/syslog.conf. Add or correct whichever of the
>            following lines are appropriate for your environment: <xhtml:br/>
>            <xhtml:br/>
>            auth,info.* /var/log/messages<xhtml:br/>
>            kern.* /var/log/kern.log <xhtml:br/>
>            daemon.* /var/log/daemon.log <xhtml:br/>
>            syslog.* /var/log/syslog<xhtml:br/>
>            lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log<xhtml:br/></xhtml:span><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            When a message is sent to syslog for logging, it is sent with a facility name (such as
>            mail, auth, or local2), and a priority (such as debug, notice, or emerg). Each line of
>            syslog's configuration file is a directive which specifies a set of facility/priority
>            pairs, and then gives a filename or host to which log messages of matching types should
>            be sent. In order for a message to match a type, the facility must match, and the
>            priority must be the priority named in the rule or any higher priority. (See
>            syslog.conf(5) for an ordered list of priorities.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Older versions of syslog mandated a
>            very restrictive format for the syslog.conf file. However, the version of syslog shipped
>            with RHEL5 allows any sort of whitespace (spaces or tabs, not just tabs) to separate the
>            selection criteria from the message disposition, and allows the use of facility.* as a
>            wildcard matching a given facility at any priority. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default RHEL5 syslog
>            configuration stores the facilities authpriv, cron, and mail in named logs. This guide
>            describes the implementation of the following configuration, but any configuration which
>            stores the important facilities and is usable by the administrators will suffice:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Store each of the facilities kern, daemon, and syslog in its own log, so that it will be
>                easy to access information about messages from those facilities. </xhtml:li><xhtml:li>Restrict the
>                information stored in /var/log/messages to only the facilities auth and user, and store
>                all messages from those facilities. Messages can easily become cluttered otherwise. </xhtml:li><xhtml:li>Store information about all facilities which should not be in use at this site in a file
>                called /var/log/ unused.log. If any messages are logged to this file at some future
>                point, this may be an indication that an unknown service is running, and should be
>                investigated. In addition, if news and uucp are not in use at this site, remove the
>                directive from the default syslog.conf which stores those facilities. </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Making use of the
>            local facilities is also recommended. Specific configuration is beyond the scope of this
>            guide, but applications such as SSH can easily be configured to log to a local facility
>            which is not being used for anything else. If this is done, reconfigure /etc/syslog.conf
>            to store this facility in an appropriate named log or in /var/log/messages, rather than
>            in /var/log/unused.log.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.2">
>              <xccdf:title xml:lang="en">Confirm Existence and Permissions of System Log Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            For each log file LOGFILE referenced in /etc/syslog.conf, run
>            the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># touch LOGFILE<xhtml:br/> 
>            # chown root:root LOGFILE <xhtml:br/>
>            # chmod 0600 LOGFILE <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Syslog will
>            refuse to log to a file which does not exist. All messages intended for that file will
>            be silently discarded, so it is important to verify that all log files exist. Some logs
>            may contain sensitive information, so it is better to restrict permissions so that only
>            administrative users can read or write logfiles.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-2.6.1.2.a" operator="equals" type="string">
>                <xccdf:title>User who owns log files</xccdf:title>
>                <xccdf:description xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify user owner of all logfiles specified in /etc/syslog.conf</xccdf:question>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.6.1.2.b" operator="equals" type="string">
>                <xccdf:title>group who owns log files</xccdf:title>
>                <xccdf:description xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify group owner of all logfiles specified in /etc/syslog.conf</xccdf:question>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-2.6.1.2.c" operator="equals" type="string">
>                <xccdf:title>File permissions on logfiles</xccdf:title>
>                <xccdf:description xml:lang="en">Specify file permissions of all logfiles specified in /etc/syslog.conf.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify permissions of all logfiles specified in /etc/syslog.conf</xccdf:question>
>                <xccdf:value>110000000</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="600">110000000</xccdf:value>
>                <xccdf:value selector="700">111000000</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Confirm user that owns System Log Files</xccdf:title>
>                <xccdf:description>All syslog log files should be owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4366-1</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20149" value-id="xccdf_cdf_value_var-2.6.1.2.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20149"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.2.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Confirm group that owns System Log Files</xccdf:title>
>                <xccdf:description>All syslog log files should be group owned by root.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3701-0</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20150" value-id="xccdf_cdf_value_var-2.6.1.2.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20150"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Confirm Permissions of System Log Files</xccdf:title>
>                <xccdf:description>File permissions for all syslog log files should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4233-3</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20151" value-id="xccdf_cdf_value_var-2.6.1.2.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20151"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.3">
>              <xccdf:title xml:lang="en">Send Logs to a Remote Loghost</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/syslog.conf. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            *.* @loghost.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where loghost.example.com is the name of your central log server.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If system logs are to be useful in detecting malicious activities, it is necessary to
>            send logs to a remote server. An intruder who has compromised the root account on a
>            machine may delete the log entries which indicate that the system was attacked before
>            they are seen by an administrator. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However, it is recommended that logs be stored on the
>            local host in addition to being sent to the loghost, because syslog uses the UDP
>            protocol to send messages over a network. UDP does not guarantee reliable delivery, and
>            moderately busy sites will lose log messages occasionally, especially in periods of high
>            traffic which may be the result of an attack. In addition, remote syslog messages are
>            not authenticated in any way, so it is easy for an attacker to introduce spurious
>            messages to the central log server. Also, some problems cause loss of network
>            connectivity, which will prevent the sending of messages to the central server. For all
>            of these reasons, it is better to store log messages both centrally and on each host, so
>            that they can be correlated if necessary.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Send Logs to a Remote Loghost</xccdf:title>
>                <xccdf:description>Syslog logs should be sent to a remote loghost</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4260-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/syslog.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20152"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.4">
>              <xccdf:title xml:lang="en">Enable syslogd to Accept Remote Messages on Loghosts Only</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is this machine the central log server for your organization?
>            If so, edit the file /etc/sysconfig/syslog. Add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SYSLOGD_OPTIONS="-m 0 -r -s example.com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where example.com is the name of your domain.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the machine is not a log server, edit /etc/sysconfig/syslog, and instead add or
>            correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SYSLOGD_OPTIONS="-m 0" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, RHEL5's syslog does not listen over
>            the network for log messages. The -r flag enables syslogd to listen over a network, and
>            should be used only if necessary. The -s example.com flag strips the domain name
>            example.com from each sending machine's hostname before logging messages from that host,
>            to reduce the amount of redundant information placed in log files. See the syslogd(8)
>            man page for further information.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable syslogd from Accepting Remote Messages on Loghosts Only</xccdf:title>
>                <xccdf:description>Syslogd should reject remote messages</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3382-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/syslog</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20153"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.5">
>              <xccdf:title xml:lang="en">Ensure All Logs are Rotated by logrotate</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/logrotate.d/syslog. Find the first line,
>            which should look like this (wrapped for clarity): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \ 
>            /var/log/boot.log /var/log/cron { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit this line so
>            that it contains a one-space-separated listing of each log file referenced in
>            /etc/syslog.conf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            All logs in use on a system must be rotated regularly, or the log
>            files will consume disk space over time, eventually interfering with system operation.
>            The file /etc/logrotate.d/syslog is the configuration file used by the logrotate program
>            to maintain all log files written by syslog. By default, it rotates logs weekly and
>            stores four archival copies of each log. These settings can be modified by editing
>            /etc/logrotate.conf, but the defaults are sufficient for purposes of this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note
>            that logrotate is run nightly by the cron job /etc/cron.daily/logrotate. If particularly
>            active logs need to be rotated more often than once a day, some other mechanism must be
>            used.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.5.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Ensure All Logs are Rotated by logrotate</xccdf:title>
>                <xccdf:description>The logrotate (syslog rotater) service should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4182-2</xccdf:ident>
>                <xccdf:fixtext>(1) via cron</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20154"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.6">
>              <xccdf:title xml:lang="en">Monitor Suspicious Log Messages using Logwatch</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The system includes an extensible program called Logwatch for
>            reporting on unusual items in syslog. Logwatch is valuable because it provides a parser
>            for the syslog entry format and a number of signatures for types of lines which are
>            considered to be mundane or noteworthy. Logwatch has a number of downsides: the
>            signatures can be inaccurate and are not always categorized consistently, and you must
>            be able to program in Perl in order to customize the signature database. However, it is
>            recommended that all Linux sites which do not have time to deploy a third-party log
>            monitoring application run Logwatch in its default configuration. This provides some
>            useful information about system activity in exchange for very little administrator
>            effort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This guide recommends that Logwatch be run only on the central logserver, if
>            your site has one, in order to focus administrator attention by sending all daily logs
>            in a single e-mail.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.1.6.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Monitor Suspicious Log Messages using Logwatch</xccdf:title>
>                <xccdf:description>The logwatch service should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4323-2</xccdf:ident>
>                <xccdf:fixtext>(1) via cron</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20155"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.6.1">
>                <xccdf:title xml:lang="en">Configure Logwatch on the Central Log Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Is this machine the central log server? If so, edit the file
>              /etc/logwatch/conf/logwatch.conf. Add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">HostLimit = no<xhtml:br/>
>              SplitHosts = yes <xhtml:br/>
>              MultiEmail = no <xhtml:br/></xhtml:code>
>              Service = -zz-disk_space <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Ensure that logwatch.pl is run nightly from cron. (This is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/cron.daily <xhtml:br/>
>              # ln -s /usr/share/logwatch/scripts/logwatch.pl 0logwatch <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              On a central logserver, you want
>              Logwatch to summarize all syslog entries, including those which did not originate on
>              the logserver itself. The HostLimit setting tells Logwatch to report on all hosts, not
>              just the one on which it is running. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If SplitHosts is set, Logwatch will separate
>              entries by hostname. This makes the report longer but significantly more usable. If it
>              is not set, then Logwatch will not report which host generated a given log entry, and
>              that information is almost always necessary. If MultiEmail is set, then each host's
>              information will be sent in a separate e-mail message. This is a matter of preference.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The Service directive -zz-disk space tells Logwatch not to run the zz-disk space
>              report, which reports on free disk space. Since all log monitoring is being done on
>              the central logserver, the disk space listing will always be that of the logserver,
>              regardless of which host is being monitored. This is confusing, so disable that
>              service. Note that this does mean that Logwatch will not monitor disk usage
>              information. Many workarounds are possible, such as running df on each host daily via
>              cron and sending the output to syslog so that it will be reported to the logserver.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.1.6.2">
>                <xccdf:title xml:lang="en">Disable Logwatch on Clients if a Logserver Exists</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Does your site have a central logserver which has been
>              configured to report on logs received from all systems? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/cron.daily/0logwatch <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If no logserver exists, it will be necessary for each
>              machine to run Logwatch individually. Using a central logserver provides the security
>              and reliability benefits discussed earlier, and also makes monitoring logs easier and
>              less time-intensive for administrators.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2">
>            <xccdf:title xml:lang="en">System Accounting with auditd</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The audit service is the current Linux recommendation for
>          kernel-level auditing. By default, the service audits about SELinux AVC denials and
>          certain types of security-relevant events such as system logins, account modifications,
>          and authentication events performed by programs such as sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Under its default
>          configuration, auditd has modest disk space requirements, and should not noticeably impact
>          system performance. The audit service, in its default configuration, is strongly
>          recommended for all sites, regardless of whether they are running SELinux. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          DoD or federal networks often have substantial auditing requirements and auditd can be 
>          conï¬gured to meet these requirements.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Typical DoD requirements include:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Ensure Auditing is Conï¬gured to Collect Certain System Events
>              <xhtml:ul><xhtml:li>Information on the Use of Print Command (unsuccessful and successful)</xhtml:li><xhtml:li>Startup and Shutdown Events (unsuccessful and successful)</xhtml:li></xhtml:ul>
>            </xhtml:li><xhtml:li>Ensure the auditing software can record the following for each audit event:
>              <xhtml:ul><xhtml:li>Date and time of the event</xhtml:li><xhtml:li>Userid that initiated the event</xhtml:li><xhtml:li>Type of event</xhtml:li><xhtml:li>Success or failure of the event</xhtml:li><xhtml:li>For I&amp;A events, the origin of the request (e.g., terminal ID)</xhtml:li><xhtml:li>For events that introduce an object into a userâs address space, and for object deletion events, the
>                  name of the object, and in MLS systems, the objects security level.</xhtml:li></xhtml:ul>
>            </xhtml:li><xhtml:li>Ensure ï¬les are backed up no less than weekly onto a diï¬erent system than the system being audited or
>              backup media.</xhtml:li><xhtml:li>Ensure old logs are closed out and new audit logs are started daily</xhtml:li><xhtml:li>Ensure the conï¬guration is immutable. With the -e 2 setting a reboot will be required to change any audit
>              rules.</xhtml:li><xhtml:li>Ensure that the audit data ï¬les have permissions of 640, or more restrictive.</xhtml:li></xhtml:ul> 
>          </xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.1">
>              <xccdf:title xml:lang="en">Enable the auditd Service</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Ensure that the auditd service is enabled (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig auditd on <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, auditd logs only SELinux denials, which are
>            helpful for debugging SELinux and discovering intrusion attempts, and certain types of
>            security events, such as modifications to user accounts (useradd, passwd, etc), login
>            events, and calls to sudo. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Data is stored in /var/log/audit/audit.log. By default,
>            auditd rotates 4 logs by size (5MB), retaining a maximum of 20MB of data in total, and
>            refuses to write entries when the disk is too full. This minimizes the risk of audit
>            data filling its partition and impacting other services. However, it is possible to lose
>            audit data if the system is busy.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Enable the auditd Service</xccdf:title>
>                <xccdf:description>The auditd service should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4292-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20156"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.2">
>              <xccdf:title xml:lang="en">Conï¬gure auditd Data Retention</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Determine STOREMB , the amount of audit data (in megabytes) which should be retained in each log
>                ï¬le. Edit the ï¬le /etc/audit/auditd.conf. Add or modify the following line:<xhtml:br/>
>                <xhtml:br/>
>                max_log_file = STOREMB</xhtml:li><xhtml:li>Use a dedicated partition (or logical volume) for log ï¬les. It is straightforward to create such a partition
>                or logical volume during system installation time. The partition should be larger than the maximum
>                space which auditd will ever use, which is the maximum size of each log ï¬le (max log file) multiplied
>                by the number of log ï¬les (num logs). Ensure the partition is mounted on /var/log/audit.</xhtml:li><xhtml:li>If your site requires that the machine be disabled when auditing cannot be performed, conï¬gure auditd
>                to halt the system when disk space for auditing runs low. Edit /etc/audit/auditd.conf, and add or
>                correct the following lines:<xhtml:br/>
>                <xhtml:br/>
>                space_left_action = email<xhtml:br/>
>                action_mail_acct = root<xhtml:br/>
>                admin_space_left_action = halt<xhtml:br/></xhtml:li></xhtml:ul>
>            The default action to take when the logs reach their maximum size is to rotate the log ï¬les, discarding the
>            oldest one. If it is more important to retain all possible auditing information, even if that opens the possibility
>            of running out of space and taking the action deï¬ned by admin space left action, add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            max_log_file_action = keep_logs<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, auditd retains 4 log ï¬les of size 5Mb apiece. For a busy system or a system which is thoroughly
>            auditing system activity, this is likely to be insuï¬cient.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The log ï¬le size needed will depend heavily on what types of events are being audited. First conï¬gure auditing
>            to log all the events of interest. Then monitor the log size manually for awhile to determine what ï¬le size will
>            allow you to keep the required data for the correct time period.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Using a dedicated partition for /var/log/audit prevents the auditd logs from disrupting system functionality if
>            they ï¬ll, and, more importantly, prevents other activity in /var from ï¬lling the partition and stopping the audit
>            trail. (The audit logs are size-limited and therefore unlikely to grow without bound unless conï¬gured to do so.)
>            Some machines may have requirements that no actions occur which cannot be audited. If this is the case, then
>            auditd can be conï¬gured to halt the machine if it runs out of space.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: Since older logs are rotated, conï¬guring auditd this way does not prevent older logs from being rotated
>            away before they can be viewed.
>          </xccdf:description>
>              <xccdf:warning xml:lang="en">If your system is conï¬gured to halt when logging cannot be performed, make sure this can never
>            happen under normal circumstances! Ensure that /var/ log/ audit is on its own partition, and
>            that this partition is larger than the maximum amount of data auditd will retain normally.</xccdf:warning>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.3">
>              <xccdf:title xml:lang="en">Enable Auditing for Processes Which Start Prior to the Audit Daemon</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To ensure that all processes can be audited, even those which start prior to the audit daemon, add the
>            argument audit=1 to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Each process on the system carries an âauditableâ ï¬ag which indicates whether its activities can be audited.
>            Although auditd takes care of enabling this for all processes which launch after it does, adding the kernel
>            argument ensures that it is set for every process during boot.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</xccdf:title>
>                <xccdf:description>
>              To ensure that all processes can be audited, even those which start prior to the audit daemon, add the argument audit=1 
>              to the kernel line in /etc/grub.conf, in the manner below:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/grub.conf add audit=1 to kernel line</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20157"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4">
>              <xccdf:title xml:lang="en">Conï¬gure auditd Rules for Comprehensive Auditing</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The auditd program can perform comprehensive monitoring of system activity. This section describes rec-
>            ommended conï¬guration settings for comprehensive auditing, but a full description of the auditing systemâs
>            capabilities is beyond the scope of this guide. The mailing list linux-audit@redhat.com may be a good source
>            of further information.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The audit subsystem supports extensive collection of events, including:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Tracing of arbitrary system calls (identiï¬ed by name or number) on entry or exit.</xhtml:li><xhtml:li>Filtering by PID, UID, call success, system call argument (with some limitations), etc.</xhtml:li><xhtml:li>Monitoring of speciï¬c ï¬les for modiï¬cations to the ï¬leâs contents or metadata.</xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Auditing rules are controlled in the ï¬le /etc/audit/audit.rules. Add rules to it to meet the auditing re-
>            quirements for your organization. Each line in /etc/audit/audit.rules represents a series of arguments that
>            can be passed to auditctl and can be individually tested as such. See documentation in /usr/share/doc/
>            audit-version and in the related man pages for more details.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Recommended audit rules are provided in /usr/share/doc/audit-version /stig.rules. In order to activate
>            those rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /usr/share/doc/audit-version /stig.rules /etc/audit/audit.rules<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and then edit /etc/audit/audit.rules and comment out the lines containing arch= which are not appropriate
>            for your systemâs architecture. Then review and understand the following rules, ensuring rules are activated as
>            needed for the appropriate architecture.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            After reviewing all the rules, reading the following sections, and editing as needed, activate the new rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service auditd restart</xhtml:code></xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.1">
>                <xccdf:title xml:lang="en">Records Events that Modify Date and Time Information</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
>              system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S clock_settime -k time-change<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/localtime -p wa -k time-change
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.1.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Records Events that Modify Date and Time Information</xccdf:title>
>                  <xccdf:description>Audit rules about time</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201575"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.2">
>                <xccdf:title xml:lang="en">Record Events that Modify User/Group Information</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules, in order to capture events that modify account changes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/group -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/passwd -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/gshadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/shadow -p wa -k identity<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/security/opasswd -p wa -k identity
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Record Events that Modify User/Group Information</xccdf:title>
>                  <xccdf:description>Audit rules about User/Group Information</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20158"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.3">
>                <xccdf:title xml:lang="en">Record Events that Modify the Systemâs Network Environment</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your
>              system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/issue -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/issue.net -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/hosts -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/sysconfig/network -p wa -k system-locale<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.3.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Record Events that Modify the Systemâs Network Environment</xccdf:title>
>                  <xccdf:description>Audit rules about the Systemâs Network Environment</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20159"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.4">
>                <xccdf:title xml:lang="en">Record Events that Modify the Systemâs Mandatory Access Controls</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/selinux/ -p wa -k MAC-policy
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.4.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Record Events that Modify the Systemâs Mandatory Access Controls</xccdf:title>
>                  <xccdf:description>Audit rules about the Systemâs Mandatory Access Controls</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20160"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.5">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Logon and Logout Events</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect login info for all users and root. Add the following to
>              /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /var/log/faillog -p wa -k logins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /var/log/lastlog -p wa -k logins
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.5.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Logon and Logout Events</xccdf:title>
>                  <xccdf:description>Audit rules about the Logon and Logout Events</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20161"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.6">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Process and Session Initiation Information</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect process information for all users and root. Add the following
>              to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /var/run/utmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /var/log/btmp -p wa -k session<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /var/log/wtmp -p wa -k session
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.6.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Process and Session Initiation Information</xccdf:title>
>                  <xccdf:description>Audit rules about the Process and Session Initiation Information</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20162"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.7">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Discretionary Access Control Permission Modiï¬cation Events</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect ï¬le permission changes for all users and root. Add the
>              following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -F auid!=4294967295 -k perm_mod<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.7.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Discretionary Access Control Permission Modiï¬cation Events</xccdf:title>
>                  <xccdf:description>Audit rules about the Discretionary Access Control Permission Modiï¬cation Events</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20163"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.8">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect unauthorized ï¬le accesses for all users and root. Add the
>              following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.8.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</xccdf:title>
>                  <xccdf:description>Audit rules about the Unauthorized Access Attempts to Files (unsuccessful)</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20164"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.9">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Information on the Use of Privileged Commands</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect the execution of privileged commands for all users and root.
>              Add the following to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F auid!=4294967295 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -k privileged
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.9.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Information on the Use of Privileged Commands</xccdf:title>
>                  <xccdf:description>Audit rules about the Information on the Use of Privileged Commands</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20165"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.10">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Information on Exporting to Media (successful)</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect media exportation events for all users and root. Add the
>              following to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.10.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Information on Exporting to Media (successful)</xccdf:title>
>                  <xccdf:description>Audit rules about the Information on Exporting to Media (successful)</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20166"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.11">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect ï¬le deletion events for all users and root. Add the following
>              to /etc/audit/audit.rules, setting ARCH to either b32 or b64 as appropriate for your system:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 \<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -F auid!=4294967295 -k delete
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.11.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</xccdf:title>
>                  <xccdf:description>Audit rules about the Files Deletion Events by User (successful and unsuccessful)</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20167"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.12">
>                <xccdf:title xml:lang="en">Ensure auditd Collects System Administrator Actions</xccdf:title>
>                <xccdf:description xml:lang="en">
>              At a minimum the audit system should collect administrator actions for all users and root. Add the following
>              to /etc/audit/audit.rules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /etc/sudoers -p wa -k actions</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.12.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects System Administrator Actions</xccdf:title>
>                  <xccdf:description>Audit rules about the System Administrator Actions</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20168"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.13">
>                <xccdf:title xml:lang="en">Ensure auditd Collects Information on Kernel Module Loading and Unloading</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules in order to capture kernel module loading and unloading
>              events:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /sbin/insmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /sbin/rmmod -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -w /sbin/modprobe -p x -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -a always,exit -S init_module -S delete_module -k modules<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.13.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading</xccdf:title>
>                  <xccdf:description>Audit rules about the Information on Kernel Module Loading and Unloading</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201685"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.4.14">
>                <xccdf:title xml:lang="en">Make the auditd Conï¬guration Immutable</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add the following to /etc/audit/audit.rules in order to make the conï¬guration immutable:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -e 2<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              With this setting, a reboot will be required to change any audit rules.
>            </xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-2.6.2.4.14.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Make the auditd Conï¬guration Immutable</xccdf:title>
>                  <xccdf:description>Force a reboot to change audit rules</xccdf:description>
>                  <xccdf:fixtext>(1) via /etc/audit/audit.rules</xccdf:fixtext>
>                  <xccdf:fix>cp /usr/share/doc/audit-version/stig.rules /etc/audit/audit.rules</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20169"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-2.6.2.5">
>              <xccdf:title xml:lang="en">Summarize and Review Audit Logs using aureport</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Familiarize yourself with the aureport(8) man page, then design a short series of audit reporting commands
>            suitable for exploring the audit logs on a daily (or more frequent) basis. These commands can be added as a cron
>            job by placing an appropriately named ï¬le in /etc/cron.daily. See the next section for information on how to
>            ensure that the audit system collects all events needed.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For example, to generate a daily report of every user to login to the machine, the following command could be
>            run from cron:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport -l -i -ts yesterday -te today<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To review all audited activity for unusual behavior, a good place to start is to see a summary of which audit
>            rules have been triggering:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">aureport --key --summary<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If access violations stand out, review them with:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport --file --summary<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To review what executables are doing:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --raw | aureport -x --summary<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If access violations have been occurring on a particular ï¬le (such as /etc/shadow) and you want to determine
>            which user is doing this:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Check for anomalous activity (such as device changing to promiscuous mode, processes ending abnormally, login
>            failure limits being reached) using:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># aureport --anomaly<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The foundation to audit analysis is using keys to classify the events. Information about using ausearch to ï¬nd
>            an SELinux problem can be found in Section 2.4.6.
>            </xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>      </xccdf:Group>
>      <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3">
>        <xccdf:title xml:lang="en">Services</xccdf:title>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.1">
>          <xccdf:title xml:lang="en">Disable All Unneeded Services at Boot Time</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The best protection against vulnerable software is running less
>        software. This section describes how to review the software which Red Hat Enterprise Linux
>        installs on a system and disable software which is not needed. It then enumerates the
>        software packages installed on a default RHEL5 system and provides guidance about which ones
>        can be safely disabled.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.1.1">
>            <xccdf:title xml:lang="en">Determine which Services are Enabled at Boot</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig --list | grep :on <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The first column
>          of this output is the name of a service which is currently enabled at boot. Review each
>          listed service to determine whether it can be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If it is appropriate to disable
>          some service srvname , do so using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig srvname off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Use the guidance below for information about unfamiliar services.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.1.2">
>            <xccdf:title xml:lang="en">Guidance on Default Services</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The table in this section contains a list of all services which
>          are enabled at boot by a default RHEL5 installation. For each service, one of the
>          following recommendations is made: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Enable: The service provides a significant capability
>              with limited risk exposure. Leave the service enabled. </xhtml:li><xhtml:li>Configure: The service either is
>              required for most systems to function properly or provides an important security function.
>              It should be left enabled by most environments. However, it must be configured securely on
>              all machines, and different options may be needed for workstations than for servers. See
>              the referenced section for recommended configuration of this service.</xhtml:li><xhtml:li>Disable if
>              possible: The service opens the system to some risk, but may be required by some
>              environments. See the appropriate section of the guide, and disable the service if at all
>              possible.</xhtml:li><xhtml:li>Servers only: The service provides some function to other machines over the
>              network. If that function is needed in the target environment, the service should remain
>              enabled only on a small number of dedicated servers, and should be disabled on all other
>              machines on the network. </xhtml:li></xhtml:ul>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:thead><xhtml:tr><xhtml:td>Service name</xhtml:td><xhtml:td>Action</xhtml:td><xhtml:td>Reference</xhtml:td></xhtml:tr></xhtml:thead><xhtml:tbody><xhtml:tr><xhtml:td>acpid</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.2</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>anacron</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>apmd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.15.1</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>atd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>auditd</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.2</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>autofs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.2.2.3</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>avahi-daemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.7</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>bluetooth</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>cpuspeed</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.15.3 </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>crond</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.4</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>cups</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>firstboot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.1</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>gpm</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.2</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>haldaemon</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.2</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>hidd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.14.2</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>hplip</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.8.4.1</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>ip6tables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>iptables</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.5.5</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>irqbalance</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.3</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>isdn</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.4</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>kdump</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.5</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>kudzu</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.6 </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>mcstrans</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.2 (SELinux) </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>mdmonitor</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.7 </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>messagebus</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.13.1</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>microcode</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.8</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>netfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>network</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.9</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>nfslock</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS)</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>pcscd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.10</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>portmap</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>readahead_early</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>readahead_later</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.3.12</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>restorecond</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>2.4.3.3 (SELinux)</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>rhnsd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.2 </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>rpcgssd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>rpcidmapd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.13 (NFS) </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>sendmail</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>3.11</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>setroubleshoot</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.4.3.1 (SELinux)</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>smartd</xhtml:td><xhtml:td>Enable</xhtml:td><xhtml:td>3.3.11 </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>sshd</xhtml:td><xhtml:td>Servers only</xhtml:td><xhtml:td>3.5</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>syslog</xhtml:td><xhtml:td>Configure</xhtml:td><xhtml:td>2.6.1</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>xfs</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>3.6 (X11) </xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>yum-updatesd</xhtml:td><xhtml:td>Disable if possible</xhtml:td><xhtml:td>2.1.2.3.2</xhtml:td></xhtml:tr></xhtml:tbody></xhtml:table>
>        </xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.1.3">
>            <xccdf:title xml:lang="en">Guidance for Unfamiliar Services</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the system is running any services which have not been
>          covered, determine what these services do, and disable them if they are not needed or if
>          they pose a high risk. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If a service srvname is unknown, try running: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qf /etc/init.d/srvname <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          to discover which RPM package installed the service. Then, run: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ rpm -qi rpmname <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          for a brief description of what that RPM does.</xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2">
>          <xccdf:title xml:lang="en">Obsolete Services</xccdf:title>
>          <xccdf:description xml:lang="en">
>        This section discusses a number of network-visible services which
>        have historically caused problems for system security, and for which disabling or severely
>        limiting the service has been the best available guidance for some time. As a result of this
>        consensus, these services are not installed as part of RHEL5 by default. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Organizations which
>        are running these services should prioritize switching to more secure services which provide
>        the needed functionality. If it is absolutely necessary to run one of these services for
>        legacy reasons, care should be taken to restrict the service as much as possible, for
>        instance by configuring host firewall software (see Section 2.5.5) to restrict access to the
>        vulnerable service to only those remote hosts which have a known need to use it.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.1">
>            <xccdf:title xml:lang="en">Inetd and Xinetd</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there an operational need to run the deprecated inetd or
>          xinetd software packages? If not, ensure that they are removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase inetd xinetd <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Beginning with Red Hat Enterprise Linux 5, the xinetd service is no
>          longer installed by default. This change represents increased awareness that the dedicated
>          network listener model does not improve security or reliability of services, and that
>          restriction of network listeners is better handled using a granular model such as SELinux
>          than using xinetd's limited security options.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable Inetd</xccdf:title>
>              <xccdf:description>The inetd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4234-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20170"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.1.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable Xinetd</xccdf:title>
>              <xccdf:description>The xinetd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4252-3</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20171"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.1.c" selected="false" weight="10.0">
>              <xccdf:title>Uninstall Inetd</xccdf:title>
>              <xccdf:description>The inetd package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4023-8</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase inetd</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20172"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.1.d" selected="false" weight="10.0">
>              <xccdf:title>Uninstall Xinetd</xccdf:title>
>              <xccdf:description>The xinetd package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4164-0</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase xinetd</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20173"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.2">
>            <xccdf:title xml:lang="en">Telnet</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there a mission-critical reason for users to access the system
>          via the insecure telnet protocol, rather than the more secure SSH protocol? If not, ensure
>          that the telnet server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet-server <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The telnet
>          protocol uses unencrypted network communication, which means that data from the login
>          session, including passwords and all other information transmitted during the session, can
>          be stolen by eavesdroppers on the network, and also that outsiders can easily hijack the
>          session to gain authenticated access to the telnet server. Organizations which use telnet
>          should be actively working to migrate to a more secure protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          See Section 3.5 for information about the SSH service.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.2.1">
>              <xccdf:title xml:lang="en">Remove Telnet Clients</xccdf:title>
>              <xccdf:description xml:lang="en">
>            In order to prevent users from casually attempting to use a telnet server, and thus exposing their credentials
>            over the network, remove the telnet package, which contains a telnet client program:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase telnet<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If Kerberos is not used, remove the krb5-workstation package, which also includes a telnet client:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase krb5-workstation<xhtml:br/></xhtml:code>
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.2.1.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Remove the telnet client command from the System</xccdf:title>
>                <xccdf:description>The telnet package should be uninstalled.</xccdf:description>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum erase telnet</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20175"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.2.1.b" selected="false" weight="10.0">
>                <xccdf:title>Remove the kerberos telnet client from the System</xccdf:title>
>                <xccdf:description>The krb5-workstation package should be uninstalled.</xccdf:description>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum erase rsh-server</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20176"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.2.a" selected="false" severity="high" weight="10.0">
>              <xccdf:title>Uninstall Telnet server</xccdf:title>
>              <xccdf:description>The telnet-server package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4330-7</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase telnet-server</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20174"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.2.b" selected="false" severity="high" weight="10.0">
>              <xccdf:title>Disable telnet service</xccdf:title>
>              <xccdf:description>telnet service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3390-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201745"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.3">
>            <xccdf:title xml:lang="en">Rlogin, Rsh, and Rcp</xccdf:title>
>            <xccdf:description xml:lang="en">The Berkeley r-commands are legacy services which allow cleartext remote access and have an insecure trust model.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.3.1">
>              <xccdf:title xml:lang="en">Remove the Rsh Server Commands from the System</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is there a mission-critical reason for users to access the
>            system via the insecure rlogin, rsh, or rcp commands rather than the more secure ssh and
>            scp? If not, ensure that the rsh server is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh-server <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SSH was designed to be a drop-in replacement for the r-commands, which suffer
>            from the same hijacking and eavesdropping problems as telnet. There is unlikely to be a
>            case in which these commands cannot be replaced with SSH.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.1.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Remove the Rsh Server Commands from the System</xccdf:title>
>                <xccdf:description>The rsh-server package should be uninstalled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4308-3</xccdf:ident>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum erase rsh-server</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20177"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.1.b" selected="false" severity="high" weight="10.0">
>                <xccdf:title>disable rcp</xccdf:title>
>                <xccdf:description>The rcp service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3974-3</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig rcp off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201774"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.1.c" selected="false" severity="high" weight="10.0">
>                <xccdf:title>disable rsh</xccdf:title>
>                <xccdf:description>The rsh service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4141-8</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig rsh off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201775"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.1.d" selected="false" severity="high" weight="10.0">
>                <xccdf:title>disable rlogin</xccdf:title>
>                <xccdf:description>The rlogin service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3537-8</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig rlogin off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201776"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.3.2">
>              <xccdf:title xml:lang="en">Remove .rhosts Support from PAM Configuration Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Check that pam_rhosts authentication is not used by any PAM
>            services. Run the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># grep -l pam_rhosts /etc/pam.d/* <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This command should return no output. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The RHEL5 default is not to rely on .rhosts or /etc/hosts.equiv for any
>            PAM-based services, so, on an uncustomized system, this command should return no output.
>            If any files do use pam_rhosts, modify them to make use of a more secure authentication
>            method instead. For more information about PAM, see Section 2.3.3.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Remove .rhosts Support from PAM Configuration Files</xccdf:title>
>                <xccdf:description>Check that pam_rhosts authentication is not used by any PAM services.</xccdf:description>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20178"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.3.3">
>              <xccdf:title xml:lang="en">Remove the Rsh Client Commands from the System</xccdf:title>
>              <xccdf:description xml:lang="en">
>          In order to prevent users from casually attempting to make use of an rsh server and thus exposing their
>          credentials over the network, remove the rsh package, which contains client programs for many of r-commands
>          described above:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase rsh<xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Users should be trained to use the SSH client, and never attempt to connect to an rsh or telnet server. The
>          krb5-workstation package also contains r-command client programs and should be removed as described in
>          Section 3.2.2.1, if Kerberos is not in use.
>        </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.3.3.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Remove the Rsh Client Commands from the System</xccdf:title>
>                <xccdf:description>The rsh package, which contains client programs for many of r-commands should be uninstalled.</xccdf:description>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum erase rsh</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20179"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.4">
>            <xccdf:title xml:lang="en">NIS</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The NIS client service ypbind is not activated by default. In the
>          event that it was activated at some point, disable it by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ypbind off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The NIS server package is not installed by default. In the event that
>          it was installed at some point, remove it from the system by executing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase ypserv <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The Network Information Service (NIS), also known as 'Yellow Pages' (YP), and
>          its successor NIS+ have been made obsolete by Kerberos, LDAP, and other modern centralized
>          authentication services. NIS should not be used because it suffers from security problems
>          inherent in its design, such as inadequate protection of important authentication
>          information.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.4.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Uninstall NIS</xccdf:title>
>              <xccdf:description>The ypserv package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4348-9</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase ypserv</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20180"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.4.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable NIS</xccdf:title>
>              <xccdf:description>The ypbind service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3705-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig ypbind off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20181"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.2.5">
>            <xccdf:title xml:lang="en">TFTP Server</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there an operational need to run the deprecated TFTP server
>          software? If not, ensure that it is removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase tftp-server <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          TFTP is a lightweight version of the FTP protocol which has traditionally been used to
>          configure networking equipment. However, TFTP provides little security, and modern
>          versions of networking operating systems frequently support configuration via SSH or
>          other more secure protocols. A TFTP server should be run only if no more secure method of
>          supporting existing equipment can be found.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.5.a" selected="false" weight="10.0">
>              <xccdf:title>Uninstall TFTP Server</xccdf:title>
>              <xccdf:description>The tftp-server package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3916-4</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase tftp-server</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20182"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.2.5.b" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable TFTP Server</xccdf:title>
>              <xccdf:description>The tftp service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4273-9</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig tftp off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:201825"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3">
>          <xccdf:title xml:lang="en">BaseServices</xccdf:title>
>          <xccdf:description xml:lang="en">
>        This section addresses the base services that are configured to
>        start up on boot in a RHEL5 default installation. Some of these services listen on the
>        network and should be treated with particular discretion. The other services are local
>        system utilities that may or may not be extraneous. Each of these services should be
>        disabled if not required.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.1">
>            <xccdf:title xml:lang="en">Installation Helper Service (firstboot)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Firstboot is a daemon specific to the Red Hat installation
>          process. It handles 'one-time' configuration following successful installation of the
>          operating system. As such, there is no reason for this service to remain enabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Disable firstboot by issuing the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig firstboot off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Installation Helper Service (firstboot)</xccdf:title>
>              <xccdf:description>The firstboot service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3412-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig firstboot off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20183"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.2">
>            <xccdf:title xml:lang="en">Console Mouse Service (gpm)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          GPM is the service that controls the text console mouse pointer.
>          (The X Windows mouse pointer is unaffected by this service.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If mouse functionality in the console is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig gpm off <xhtml:br/></xhtml:code>
>          Although it is
>          preferable to run as few services as possible, the console mouse pointer can be useful for
>          preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.2.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Console Mouse Service (gpm)</xccdf:title>
>              <xccdf:description>The gpm service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4229-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig gpm off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20184"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.3">
>            <xccdf:title xml:lang="en">Interrupt Distribution on Multiprocessor Systems (irqbalance)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The goal of the irqbalance service is to optimize the balance
>          between power savings and performance through distribution of hardware interrupts across
>          multiple processors. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          In a server environment with multiple processors, this provides a
>          useful service and should be left enabled. If a machine has only one processor, the
>          service may be disabled: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig irqbalance off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.3.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Interrupt Distribution on Multiprocessor Systems (irqbalance)</xccdf:title>
>              <xccdf:description>The irqbalance service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4123-6</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig irqbalance off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20185"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.4">
>            <xccdf:title xml:lang="en">ISDN Support (isdn)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The ISDN service facilitates Internet connectivity in the
>          presence of an ISDN modem. If an ISDN modem is not being used, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig isdn off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.4.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>ISDN Support (isdn)</xccdf:title>
>              <xccdf:description>The isdn service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4286-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig isdn off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20186"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.5">
>            <xccdf:title xml:lang="en">Kdump Kernel Crash Analyzer (kdump)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Kdump is a new kernel crash dump analyzer. It uses kexec to boot
>          a secondary kernel ('capture' kernel) following a system crash. The kernel dump from the
>          system crash is loaded into the capture kernel for analysis. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Unless the system is used for kernel development or testing, disable the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kdump off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.5.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Kdump Kernel Crash Analyzer (kdump)</xccdf:title>
>              <xccdf:description>The kdump service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3425-6</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig kdump off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20187"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.6">
>            <xccdf:title xml:lang="en">Kudzu Hardware Probing Utility (kudzu)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there a mission-critical reason for console users to add new
>          hardware to the system? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig kudzu off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Kudzu, Red Hat's hardware detection
>          program, represents an unnecessary security risk as it allows unprivileged users to
>          perform hardware configuration without authorization. Unless this specific functionality
>          is required, Kudzu should be disabled.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.6.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Kudzu Hardware Probing Utility (kudzu)</xccdf:title>
>              <xccdf:description>The kudzu service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4211-9</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig kudzu off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20188"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.7">
>            <xccdf:title xml:lang="en">Software RAID Monitor (mdmonitor)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The mdmonitor service is used for monitoring a software RAID
>          (hardware RAID setups do not use this service). This service is extraneous unless software
>          RAID is in use (which is not common). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If software RAID monitoring is not required, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig mdmonitor off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.7.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Software RAID Monitor (mdmonitor)</xccdf:title>
>              <xccdf:description>The mdmonitor service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3854-7</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig mdmonitor off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20189"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.8">
>            <xccdf:title xml:lang="en">IA32 Microcode Utility(microcodectl)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          microcode ctl is a microcode utility for use with Intel IA32
>          processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If the system is not running an Intel IA32 processor, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig microcode ctl off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.8.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>IA32 Microcode Utility(microcodectl)</xccdf:title>
>              <xccdf:description>The microcode_ctl service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4356-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig microcode ctl off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20190"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.9">
>            <xccdf:title xml:lang="en">Network Service (network)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The network service allows associated network interfaces to
>          access the network. This section contains general guidance for controlling the operation
>          of the service. For kernel parameters which affect networking, see Section</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.9.1">
>              <xccdf:title xml:lang="en">Disable All Networking if Not Needed</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If the system is a standalone machine with no need for network
>            access or even communication over the loopback device, then disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig network off</xhtml:code></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.9.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable All Networking if Not Needed)</xccdf:title>
>                <xccdf:description>The network service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4369-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig network off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20191"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.9.2">
>              <xccdf:title xml:lang="en">Disable All External Network Interfaces if Not Needed</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If the system does not require network communications but still
>            needs to use the loopback interface, remove all files of the form ifcfg-interface except
>            for ifcfg-lo from /etc/sysconfig/network-scripts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rm /etc/sysconfig/network-scripts/ifcfg-interface</xhtml:code></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.9.2.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable All External Network Interfaces if Not Needed</xccdf:title>
>                <xccdf:description>All files of the form ifcfg-interface except for ifcfg-lo in /etc/sysconfig/network-scripts should be removed</xccdf:description>
>                <xccdf:fixtext>via /etc/sysconfig/network-scripts</xccdf:fixtext>
>                <xccdf:fix># rm /etc/sysconfig/network-scripts/ifcfg-interface</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20192"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.9.3">
>              <xccdf:title xml:lang="en">Disable Zeroconf Networking</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Zeroconf networking allows the system to assign itself an IP
>            address and engage in IP communication without a statically-assigned address or even a
>            DHCP server. Automatic address assignment via Zeroconf (or DHCP) is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To disable Zeroconf automatic route assignment in the 169.245.0.0 subnet, add or correct
>            the following line in /etc/sysconfig/network: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            NOZEROCONF=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Zeroconf addresses are in
>            the network 169.254.0.0. The networking scripts add entries to the system's routing
>            table for these addresses. Zeroconf address assignment commonly occurs when the system
>            is configured to use DHCP but fails to receive an address assignment from the DHCP
>            server.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.9.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Zeroconf Networking</xccdf:title>
>                <xccdf:description>Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4369-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/network</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20193"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.10">
>            <xccdf:title xml:lang="en">Smart Card Support (pcscd)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The pcscd service provides support for Smart Cards and Smart Card
>          Readers. If Smart Cards are not in use on the system, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig pcscd off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.10.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Smart Card Support (pcscd)</xccdf:title>
>              <xccdf:description>The pcscd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4100-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig pcscd off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20194"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.11">
>            <xccdf:title xml:lang="en">SMART Disk Monitoring Support (smartd)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          SMART (Self-Monitoring, Analysis, and Reporting Technology) is a
>          feature of hard drives that allows them to detect symptoms of disk failure and relay an
>          appropriate warning. This technology is considered to bring relatively low security risk,
>          and can be useful. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Leave this service running if the system's hard drives are
>          SMART-capable. Otherwise, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smartd off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.11.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>SMART Disk Monitoring Support (smartd)</xccdf:title>
>              <xccdf:description>The smartd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3455-3</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig smartd off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20195"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.12">
>            <xccdf:title xml:lang="en">Boot Caching (readahead early/readahead later)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The following services provide one-time caching of files
>          belonging to some boot services, with the goal of allowing the system to boot faster. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          It is recommended that this service be disabled on most machines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig readahead_early off <xhtml:br/>
>          # chkconfig readahead_later off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The readahead services do not substantially increase a
>          system's risk exposure, but they also do not provide great benefit. Unless the system is
>          running a specialized application for which the file caching substantially improves system
>          boot time, this guide recommends disabling the services.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.12.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Boot Caching (readahead early/readahead later)</xccdf:title>
>              <xccdf:description>The readahead_early service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4421-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig readahead early off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20196"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.12.b" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Boot Caching (readahead early/readahead later)</xccdf:title>
>              <xccdf:description>The readahead_later service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4302-6</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig readahead later off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20197"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.13">
>            <xccdf:title xml:lang="en">Application Support Services</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The following services are software projects of freedesktop.org
>          that are meant to provide system integration through a series of common APIs for
>          applications. They are heavily integrated into the X Windows environment. If the system is
>          not using X Windows, these services can typically be disabled.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.13.1">
>              <xccdf:title xml:lang="en">D-Bus IPC Service (messagebus)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            D-Bus is an IPC mechanism that provides a common channel for
>            inter-process communication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If no services which require D-Bus are in use, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig messagebus off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A number of default services make use of D-Bus,
>            including X Windows (Section 3.6), Bluetooth (Section 3.3.14) and Avahi (Section 3.7).
>            This guide recommends that D-Bus and all its dependencies be disabled unless there is a
>            mission-critical need for them. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Stricter configuration of D-Bus is possible and
>            documented in the man page dbus-daemon(1). D-Bus maintains two separate configuration
>            files, located in /etc/dbus-1/, one for system-specific configuration and the other for
>            session-specific configuration.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.13.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>D-Bus IPC Service (messagebus)</xccdf:title>
>                <xccdf:description>The messagebus service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3822-4</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig messagebus off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20198"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.13.2">
>              <xccdf:title xml:lang="en">HAL Daemon (haldaemon)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The haldaemon service provides a dynamic way of managing device
>            interfaces. It automates device configuration and provides an API for making devices
>            accessible to applications through the D-Bus interface.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.13.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>HAL Daemon (haldaemon)</xccdf:title>
>                <xccdf:description>The haldaemon service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4364-6</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig haldaemon off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20199"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.13.2.1">
>                <xccdf:title xml:lang="en">Disable HAL Daemon if Possible</xccdf:title>
>                <xccdf:description xml:lang="en">
>              HAL provides valuable attack surfaces to attackers as an
>              intermediary to privileged operations and should be disabled unless necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig haldaemon off</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.13.2.2">
>                <xccdf:title xml:lang="en">Configure HAL Daemon if Necessary</xccdf:title>
>                <xccdf:description xml:lang="en">
>              HAL provides a limited user the ability to mount system
>              devices. This is primarily used by X utilities such as gnome-volume-manager to perform
>              automounting of removable media.
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              HAL configuration is currently
>              only possible through a series of fdi files located in
>              /usr/share/hal/fdi/
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: The HAL future road map includes a
>              mandatory framework for managing administrative privileges called
>              PolicyKit.
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To prevent users from accessing devices through HAL,
>              create the
>              file
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              /etc/hal/fdi/policy/99-policy-all-drives.fdi
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              with the contents: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;?xml version="1.0"
>              encoding="UTF-8"?&gt;&lt;deviceinfo
>              version="0.2"&gt;&lt;device&gt;&lt;match key="info.capabilities"
>              contains="volume"&gt;&lt;merge key="volume.ignore"
>              type="bool"&gt;true&lt;/merge&gt;&lt;/match&gt;&lt;/device&gt;&lt;/deviceinfo&gt;
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The
>              above code matches any device labeled with the volume capability (any device capable
>              of being mounted will be labeled this way) and sets the corresponding volume.ignore
>              key to true, indicating that the volume should be ignored. This both makes the volume
>              invisible to the UI, and denies mount attempts by unprivileged users.
>            </xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.14">
>            <xccdf:title xml:lang="en">Bluetooth Support</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Bluetooth provides a way to transfer information between devices
>          such as mobile phones, laptops, PCs, printers, digital cameras, and video game consoles
>          over a short-range wireless link. Any wireless communication presents a serious security
>          risk to sensitive or classified systems. Section 2.5.2 contains information on the related
>          topic of wireless networking. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Removal of hardware is the only way to ensure that the
>          Bluetooth wireless capability remains disabled. If it is completely impractical to remove
>          the Bluetooth hardware module, and site policy still allows the device to enter sensitive
>          spaces, every effort to disable the capability via software should be made. In general,
>          acquisition policy should include provisions to prevent the purchase of equipment that
>          will be used in sensitive spaces and includes Bluetooth capabilities.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.14.1">
>              <xccdf:title xml:lang="en">Bluetooth Host Controller Interface Daemon (bluetooth)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The bluetooth service enables the system to use Bluetooth
>            devices. If the system requires no Bluetooth devices, disable this service:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig bluetooth off</xhtml:code></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.14.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Bluetooth Host Controller Interface Daemon (bluetooth)</xccdf:title>
>                <xccdf:description>The bluetooth service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4355-4</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig bluetooth off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20200"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.14.2">
>              <xccdf:title xml:lang="en">Bluetooth Input Devices (hidd)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The hidd service provides support for Bluetooth input devices.
>            If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this
>            service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hidd off</xhtml:code></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.14.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Bluetooth Input Devices (hidd)</xccdf:title>
>                <xccdf:description>The hidd service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4377-8</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig hidd off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20201"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.14.3">
>              <xccdf:title xml:lang="en">Disable Bluetooth Kernel Modules</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The kernel's module loading system can be configured to prevent
>            loading of the Bluetooth module. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Add the following to /etc/modprobe.conf to prevent the
>            loading of the Bluetooth module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            alias net-pf-31 off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The unexpected name, net-pf-31, is
>            a result of how the kernel requests modules for network protocol families; it is an
>            alias for the bluetooth module.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.14.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable Bluetooth Kernel Modules</xccdf:title>
>                <xccdf:description>Prevent loading of the Bluetooth module.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/modprobe.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202015"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.15">
>            <xccdf:title xml:lang="en">Power Management Support</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The following services provide an interface to power management
>          functions. These functions include monitoring battery power, system hibernate/suspend, CPU
>          throttling, and various power-save utilities.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.15.1">
>              <xccdf:title xml:lang="en">Advanced Power Management Subsystem (apmd)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The apmd service provides last generation power management
>            support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the system is capable of ACPI support, or if power management is not
>            necessary, disable this service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig apmd off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            APM is being replaced by ACPI and
>            should be considered deprecated. As such, it can be disabled if ACPI is supported by
>            your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version
>            information, then APM can safely be disabled without loss of functionality.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.15.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Advanced Power Management Subsystem (apmd)</xccdf:title>
>                <xccdf:description>The apmd service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4289-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig apmd off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20202"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.15.2">
>              <xccdf:title xml:lang="en">Advanced Configuration and Power Interface (acpid)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The acpid service provides next generation power management
>            support. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Unless power management features are not necessary, leave this service enabled.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.15.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Advanced Configuration and Power Interface (acpid)</xccdf:title>
>                <xccdf:description>The acpid service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4298-6</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20203"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.3.15.3">
>              <xccdf:title xml:lang="en">CPU Throttling (cpuspeed)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The cpuspeed service uses hardware support to throttle the CPU
>            when the system is idle. Unless CPU power optimization is unnecessary, leave this
>            service enabled.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.3.15.3.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>CPU Throttling (cpuspeed)</xccdf:title>
>                <xccdf:description>The cpuspeed service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4051-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20204"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.4">
>          <xccdf:title xml:lang="en">Cron and At Daemons</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The cron and at services are used to allow commands to be executed
>        at a later time. The cron service is required by almost all systems to perform necessary
>        maintenance tasks, while at may or may not be required on a given system. Both daemons
>        should be configured defensively.</xccdf:description>
>          <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.a" selected="false" severity="high" weight="10.0">
>            <xccdf:title>Enable cron Daemon</xccdf:title>
>            <xccdf:description>The crond service should be enabled.</xccdf:description>
>            <xccdf:ident system="http://cce.mitre.org">CCE-4324-0</xccdf:ident>
>            <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>            <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>              <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20205"/>
>            </xccdf:check>
>          </xccdf:Rule>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.4.1">
>            <xccdf:title xml:lang="en">Disable anacron if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is this a machine which is designed to run all the time, such as
>          a server or a workstation which is left on at night? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase anacron<xhtml:br/></xhtml:code>
>          The
>          anacron subsystem is designed to provide cron functionality for machines which may be shut
>          down during the normal times that system cron jobs run, frequently in the middle of the
>          night. Laptops and workstations which are shut down at night should keep anacron enabled,
>          so that standard system cron jobs will run when the machine boots. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          However, on machines
>          which do not need this additional functionality, anacron represents another piece of
>          privileged software which could contain vulnerabilities. Therefore, it should be removed
>          when possible to reduce system risk.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable anacron if Possible</xccdf:title>
>              <xccdf:description>The anacron service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4406-5</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20206"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall anacron if Possible</xccdf:title>
>              <xccdf:description>The anacron package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4428-9</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase anacron</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20207"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.4.2">
>            <xccdf:title xml:lang="en">Restrict Permissions on Files Used by cron</xccdf:title>
>            <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Restrict the permissions on the primary system crontab file: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># chown root:root /etc/crontab <xhtml:br/>
>              # chmod 600 /etc/crontab</xhtml:code></xhtml:li><xhtml:li>If anacron has not been removed,
>              restrict the permissions on its primary configuration file: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># chown root:root /etc/anacrontab <xhtml:br/>
>              # chmod 600 /etc/anacrontab </xhtml:code></xhtml:li><xhtml:li>Restrict the permission on all system
>              crontab directories: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># cd /etc <xhtml:br/>
>              # chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d <xhtml:br/>
>              # chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d </xhtml:code></xhtml:li><xhtml:li>Restrict the permissions on the spool directory for user crontab files: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># chown root:root /var/spool/cron <xhtml:br/>
>              # chmod -R go-rwx /var/spool/cron </xhtml:code></xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Cron and anacron make use of a
>          number of configuration files and directories. The system crontabs need only be edited by
>          root, and user crontabs are edited using the setuid root crontab command. If unprivileged
>          users can modify system cron configuration files, they may be able to gain elevated
>          privileges, so all unnecessary access to these files should be disabled.</xccdf:description>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.group" operator="equals" type="string">
>              <xccdf:title>group owner of /etc/crontab</xccdf:title>
>              <xccdf:description xml:lang="en">Specify group owner of /etc/crontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify group owner of /etc/crontab</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.user" operator="equals" type="string">
>              <xccdf:title>user owner of /etc/crontab</xccdf:title>
>              <xccdf:description xml:lang="en">Specify user owner of /etc/crontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify user owner of /etc/crontab</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.permissions" operator="equals" type="string">
>              <xccdf:title>permissions on /etc/crontab file</xccdf:title>
>              <xccdf:description xml:lang="en">Specify file permissions on /etc/crontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify permissions of /etc/crontab</xccdf:question>
>              <xccdf:value>110100100</xccdf:value>
>              <xccdf:value selector="644">110100100</xccdf:value>
>              <xccdf:value selector="400">100000000</xccdf:value>
>              <xccdf:value selector="600">110000000</xccdf:value>
>              <xccdf:value selector="700">111000000</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.anacrontab.group" operator="equals" type="string">
>              <xccdf:title>group owner of /etc/anacrontab</xccdf:title>
>              <xccdf:description xml:lang="en">Specify group owner of /etc/ancrontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify group owner of /etc/anacrontab</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.anacrontab.user" operator="equals" type="string">
>              <xccdf:title>user owner of /etc/anacrontab</xccdf:title>
>              <xccdf:description xml:lang="en">Specify user owner of /etc/anacrontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify user owner of /etc/anacrontab</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.anacrontab.permissions" operator="equals" type="string">
>              <xccdf:title>permissions on /etc/anacrontab file</xccdf:title>
>              <xccdf:description xml:lang="en">Specify file permissions on /etc/crontab.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify permissions of /etc/anacrontab</xccdf:question>
>              <xccdf:value>110100100</xccdf:value>
>              <xccdf:value selector="644">110100100</xccdf:value>
>              <xccdf:value selector="400">100000000</xccdf:value>
>              <xccdf:value selector="600">110000000</xccdf:value>
>              <xccdf:value selector="700">111000000</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group" operator="equals" type="string">
>              <xccdf:title>group owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</xccdf:title>
>              <xccdf:description xml:lang="en">Specify group owner of /etc/cron.* files and directories.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify group owner of /etc/cron.* files and directories</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user" operator="equals" type="string">
>              <xccdf:title>user owner of cron.hourly cron.daily cron.weekly cron.monthly cron.d</xccdf:title>
>              <xccdf:description xml:lang="en">Specify user owner of /etc/cron.* files and directories.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify user owner of /etc/cron.* files and directories</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions" operator="equals" type="string">
>              <xccdf:title>permissions on cron.hourly cron.daily cron.weekly cron.monthly cron.d</xccdf:title>
>              <xccdf:description xml:lang="en">Specify file and directory permissions on /etc/cron.*.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify permissions of /etc/cron.* files and directories</xccdf:question>
>              <xccdf:value>111101101</xccdf:value>
>              <xccdf:value selector="755">111101101</xccdf:value>
>              <xccdf:value selector="400">100000000</xccdf:value>
>              <xccdf:value selector="600">110000000</xccdf:value>
>              <xccdf:value selector="700">111000000</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.spool.directory.group" operator="equals" type="string">
>              <xccdf:title>group owner of /var/spool/cron</xccdf:title>
>              <xccdf:description xml:lang="en">Specify group owner of /var/spool/cron.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify group owner of /var/spool/cron</xccdf:question>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.spool.directory.user" operator="equals" type="string">
>              <xccdf:title>user owner of /var/spool/cron</xccdf:title>
>              <xccdf:description xml:lang="en">Specify user owner of /var/spool/cron.</xccdf:description>
>              <xccdf:value>root</xccdf:value>
>              <xccdf:value selector="root">root</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.4.2.spool.directory.permissions" operator="equals" type="string">
>              <xccdf:title>permissions on /var/spool/cron file</xccdf:title>
>              <xccdf:description xml:lang="en">Specify file permissions on /var/spool/cron.</xccdf:description>
>              <xccdf:question xml:lang="en">Specify file permissions of /var/spool/cron</xccdf:question>
>              <xccdf:value>111000000</xccdf:value>
>              <xccdf:value selector="400">100000000</xccdf:value>
>              <xccdf:value selector="600">110000000</xccdf:value>
>              <xccdf:value selector="700">111000000</xccdf:value>
>            </xccdf:Value>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/crontab</xccdf:title>
>              <xccdf:description>The /etc/crontab file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3626-9</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20208" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20208"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.1.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/crontab</xccdf:title>
>              <xccdf:description>The /etc/crontab file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3851-3</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20209" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20209"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.1.c" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set Permissions on /etc/crontab</xccdf:title>
>              <xccdf:title>Restrict Permissions on Files Used by cron</xccdf:title>
>              <xccdf:description>File permissions for /etc/crontab should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4388-5</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20210" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.primary.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20210"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.2.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/anacrontab</xccdf:title>
>              <xccdf:description>The /etc/anacrontab file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3604-6</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20211" value-id="xccdf_cdf_value_var-3.4.2.system.anacrontab.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20211"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.2.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/anacrontab</xccdf:title>
>              <xccdf:description>The /etc/anacrontab file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4379-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20212" value-id="xccdf_cdf_value_var-3.4.2.system.anacrontab.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20212"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.2.c" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set Permissions on /etc/anacrontab</xccdf:title>
>              <xccdf:description>File permissions for /etc/anacrontab should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4304-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20213" value-id="xccdf_cdf_value_var-3.4.2.system.anacrontab.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20213"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/cron.hourly</xccdf:title>
>              <xccdf:description>The /etc/cron.hourly file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4054-3</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20214" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20214"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/cron.daily</xccdf:title>
>              <xccdf:description>The /etc/cron.daily file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3481-9</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20214" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20215"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.c" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/cron.weekly</xccdf:title>
>              <xccdf:description>The /etc/cron.weekly file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4331-5</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20214" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20216"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.d" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/cron.monthly</xccdf:title>
>              <xccdf:description>The /etc/cron.monthly file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4322-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20214" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20217"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.e" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set group owner on /etc/cron.d</xccdf:title>
>              <xccdf:description>The /etc/cron.d file should be owned by the appropriate group.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4212-7</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20214" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20218"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.f" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/cron.hourly</xccdf:title>
>              <xccdf:description>The /etc/cron.hourly file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3983-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20219" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20219"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.g" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/cron.daily</xccdf:title>
>              <xccdf:description>The /etc/cron.daily file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4022-0</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20219" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20220"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.h" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/cron.weekly</xccdf:title>
>              <xccdf:description>The /etc/cron.weekly file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3833-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20219" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20221"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.i" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/cron.monthly</xccdf:title>
>              <xccdf:description>The /etc/cron.monthly file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4441-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20219" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20222"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.j" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set user owner on /etc/cron.d</xccdf:title>
>              <xccdf:description>The /etc/cron.d file should be owned by the appropriate user.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4380-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20219" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20223"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.k" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set permissions on /etc/cron.hourly</xccdf:title>
>              <xccdf:description>File permissions for /etc/cron.hourly should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4106-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20224" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20224"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.l" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set permissions on /etc/cron.daily</xccdf:title>
>              <xccdf:description>File permissions for /etc/cron.daily should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4450-3</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20224" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20225"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.m" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set permissions on /etc/cron.weekly</xccdf:title>
>              <xccdf:description>File permissions for /etc/cron.weekly should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4203-6</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20224" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20226"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.n" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set permissions on /etc/cron.monthly</xccdf:title>
>              <xccdf:description>File permissions for /etc/cron.monthly should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4251-5</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20224" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20227"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.3.o" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Set permissions on /etc/cron.d</xccdf:title>
>              <xccdf:description>File permissions for /etc/cron.d should be set correctly.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4250-7</xccdf:ident>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20224" value-id="xccdf_cdf_value_var-3.4.2.system.crontab.directories.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20228"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.4.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Restrict group owner on /var/spool/cron directory</xccdf:title>
>              <xccdf:description>The /var/spool/cron directory should be owned by the appropriate group.</xccdf:description>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20229" value-id="xccdf_cdf_value_var-3.4.2.spool.directory.group"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20229"/>
>                
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.4.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Restrict user owner on /var/spool/cron directory</xccdf:title>
>              <xccdf:description>The /var/spool/cron directory should be owned by the appropriate user.</xccdf:description>
>              <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20230" value-id="xccdf_cdf_value_var-3.4.2.spool.directory.user"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20230"/>
>                
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.2.4.c" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Restrict Permissions on /var/spool/cron directory</xccdf:title>
>              <xccdf:description>Directory permissions for /var/spool/cron should be set correctly.</xccdf:description>
>              <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20231" value-id="xccdf_cdf_value_var-3.4.2.spool.directory.permissions"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20231"/>
>                
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.4.3">
>            <xccdf:title xml:lang="en">Disable at if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">Unless the at daemon is required, disable it with the following command:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig atd off<xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Many of the periodic or delayed execution features of the at daemon can be provided through the cron daemon
>          instead.
>        </xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.3.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable at Daemon</xccdf:title>
>              <xccdf:description>The atd service should be disabled.</xccdf:description>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202052"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.3.b" selected="false" weight="10.0">
>              <xccdf:title>uninstall at Daemon</xccdf:title>
>              <xccdf:description>The at package should be removed.</xccdf:description>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202053"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.4.4">
>            <xccdf:title xml:lang="en">Restrict at and cron to Authorized Users</xccdf:title>
>            <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Remove the cron.deny file: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># rm /etc/cron.deny</xhtml:code></xhtml:li><xhtml:li>Edit /etc/cron.allow, adding one line for each user allowed to use the crontab command to
>              create cron jobs. </xhtml:li><xhtml:li>Remove the at.deny file: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># rm /etc/at.deny </xhtml:code></xhtml:li><xhtml:li>Edit /etc/at.allow, adding one line for each user allowed to use the at command to create at jobs. </xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The
>          /etc/cron.allow and /etc/at.allow files contain lists of users who are allowed to use cron
>          and at to delay execution of processes. If these files exist and if the corresponding
>          files /etc/cron.deny and /etc/at.deny do not exist, then only users listed in the relevant
>          allow files can run the crontab and at commands to submit jobs to be run at scheduled
>          intervals. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          On many systems, only the system administrator needs the ability to schedule
>          jobs. Note that even if a given user is not listed in cron.allow, cron jobs can still be
>          run as that user. The cron.allow file controls only administrative access to the crontab
>          command for scheduling and modifying cron jobs.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.4.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Remove /etc/cron.deny</xccdf:title>
>              <xccdf:description>/etc/cron.deny file should not exist.</xccdf:description>
>              <xccdf:fix>rm /etc/cron.deny</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20232"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.4.4.b" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Remove /etc/at.deny</xccdf:title>
>              <xccdf:description>/etc/at.deny file should not exist.</xccdf:description>
>              <xccdf:fix>rm /etc/at.deny</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20233"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5">
>          <xccdf:title xml:lang="en">SSH Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The SSH protocol is recommended for remote login and remote file
>        transfer. SSH provides confidentiality and integrity for data exchanged between two systems,
>        as well as server authentication, through the use of public key cryptography. The
>        implementation included with the system is called OpenSSH, and more detailed documentation
>        is available from its website, http://www.openssh.org. Its server program is called sshd and
>        provided by the RPM package openssh-server.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.1">
>            <xccdf:title xml:lang="en">Disable OpenSSH Server if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Unless the system needs to provide the remote login and file
>          transfer capabilities of SSH, disable and remove the OpenSSH server and its configuration.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.1.1">
>              <xccdf:title xml:lang="en">Disable and Remove OpenSSH Software</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Disable and remove openssh-server with the commands: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig sshd off <xhtml:br/>
>            # yum erase openssh-server <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Users of the system will still be able to
>            use the SSH client program /usr/bin/ssh to access SSH servers on other systems.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.1.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable OpenSSH Software</xccdf:title>
>                <xccdf:description>The sshd service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4268-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig sshd off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20234"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.1.1.b" selected="false" weight="10.0">
>                <xccdf:title>Remove OpenSSH Software</xccdf:title>
>                <xccdf:description>SSH should be uninstalled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4272-1</xccdf:ident>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum erase openssh-server</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20235"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.1.2">
>              <xccdf:title xml:lang="en">Remove SSH Server iptables Firewall Exception</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the files /etc/sysconfig/iptables and
>            /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, inbound connections to SSH's port are allowed. If the SSH server is not 
>            being used, this exception should be removed from the firewall configuration. See 
>            Section 2.5.5 for more information about Iptables.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.1.2.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Remove SSH Server iptables Firewall Exception</xccdf:title>
>                <xccdf:description>Inbound connections to the ssh port should be denied</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4295-2</xccdf:ident>
>                <xccdf:fixtext>(1) /etc/sysconfig/iptables</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20236"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.1.2.b" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Remove SSH Server ip6tables Firewall Exception</xccdf:title>
>                <xccdf:description>Inbound connections to the ssh port should be denied</xccdf:description>
>                <xccdf:fixtext>(1) /etc/sysconfig/ip6tables</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20237"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2">
>            <xccdf:title xml:lang="en">Configure OpenSSH Server if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the system needs to act as an SSH server, then certain changes
>          should be made to the OpenSSH daemon configuration file /etc/ssh/sshd config. The
>          following recommendations can be applied to this file. See the sshd config(5) man page for
>          more detailed information.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.1">
>              <xccdf:title xml:lang="en">Ensure Only Protocol 2 Connections Allowed</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Only SSH protocol version 2 connections should be permitted.
>            Version 1 of the protocol contains security vulnerabilities. The default setting shipped
>            in the configuration file is correct, but it is important enough to check. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Verify that the following line appears: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Protocol 2</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.1.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Ensure Only Protocol 2 Connections Allowed</xccdf:title>
>                <xccdf:description>SSH version 1 protocol support should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4325-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20238"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.2">
>              <xccdf:title xml:lang="en">Limit Users SSH Access'</xccdf:title>
>              <xccdf:description xml:lang="en">
>            By default, the SSH configuration allows any user to access the
>            system. In order to allow all users to login via SSH but deny only a few users, add or
>            correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            DenyUsers USER1 USER2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Alternatively, if it is appropriate to allow only a few users access to the system via 
>            SSH, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            AllowUsers USER1 USER2</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.3">
>              <xccdf:title xml:lang="en">Set Idle Timeout Interval for User Logins</xccdf:title>
>              <xccdf:description xml:lang="en">
>            SSH allows administrators to set an idle timeout interval.
>            After this interval has passed, the idle user will be automatically logged out. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Find and edit the following lines in /etc/ssh/sshd config as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ClientAliveInterval interval <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ClientAliveCountMax 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The timeout interval is given in seconds. 
>            To have a timeout of 5 minutes, set interval to 300. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If a shorter timeout has already been set for
>            the login shell, as in Section 2.3.5.5, that value will preempt any SSH setting made
>            here. Keep in mind that some processes may stop SSH from correctly detecting that the
>            user is idle.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.5.2.3.a" operator="equals" type="number">
>                <xccdf:title>SSH session Idle time</xccdf:title>
>                <xccdf:description xml:lang="en">Specify duration of allowed idle time.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify duration of allowed idle time (in seconds) for SSH session</xccdf:question>
>                <xccdf:value>300</xccdf:value>
>                <xccdf:value selector="5_minutes">300</xccdf:value>
>                <xccdf:value selector="10_minutes">600</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.5.2.3.b" operator="equals" type="number">
>                <xccdf:title>SSH session ClientAliveCountMax</xccdf:title>
>                <xccdf:description xml:lang="en">Sets the number of client alive messages which may be sent without sshd receiving any messages back from the client.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify the number of clients alive messages which may be sent without sshd receiving any messages back from the client</xccdf:question>
>                <xccdf:value>3</xccdf:value>
>                <xccdf:value selector="0">0</xccdf:value>
>                <xccdf:value selector="3">3</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.3.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Set Idle Timeout Interval for User Logins</xccdf:title>
>                <xccdf:description>The SSH idle timout interval should be set to an appropriate
>            value</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3845-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20239" value-id="xccdf_cdf_value_var-3.5.2.3.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20239"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.3.b" selected="false" weight="10.0">
>                <xccdf:title>Set ClientAliveCountMax for User Logins</xccdf:title>
>                <xccdf:description>The ClientAliveCountMax should be set to an appropriate value</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20240" value-id="xccdf_cdf_value_var-3.5.2.3.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20240"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.4">
>              <xccdf:title xml:lang="en">Disable .rhosts Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            SSH can emulate the behavior of the obsolete rsh command in
>            allowing users to enable insecure access to their accounts via .rhosts files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To ensure that this behavior is disabled, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            IgnoreRhosts yes</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.4.a" selected="false" severity="high" weight="10.0">
>                <xccdf:title>Disable .rhosts Files</xccdf:title>
>                <xccdf:description>Emulation of the rsh command through the ssh server should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4475-0</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20241"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.5">
>              <xccdf:title xml:lang="en">Disable Host-Based Authentication</xccdf:title>
>              <xccdf:description xml:lang="en">
>            SSH's cryptographic host-based authentication is slightly more
>            secure than .rhosts authentication, since hosts are cryptographically authenticated.
>            However, it is not recommended that hosts unilaterally trust one another, even within an
>            organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To disable host-based authentication, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            HostbasedAuthentication no</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.5.a" selected="false" weight="10.0">
>                <xccdf:title>Disable Host-Based Authentication</xccdf:title>
>                <xccdf:description>SSH host-based authentication should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4370-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20242"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.6">
>              <xccdf:title xml:lang="en">Disable root Login via SSH</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The root user should never be allowed to login directly over a
>            network, as this both reduces auditable information about who ran privileged commands on
>            the system and allows direct attack attempts on root's password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To disable root login via SSH, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            PermitRootLogin no</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.6.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable root Login via SSH</xccdf:title>
>                <xccdf:description>Root login via SSH should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4387-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20243"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.7">
>              <xccdf:title xml:lang="en">Disable Empty Passwords</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To explicitly disallow remote login from accounts with empty
>            passwords, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            PermitEmptyPasswords no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Measures should also be taken to disable accounts with empty passwords system-wide, 
>            as described in Section 2.3.1.5.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.7.a" selected="false" weight="10.0">
>                <xccdf:title>Disable Empty Passwords</xccdf:title>
>                <xccdf:description>Remote connections from accounts with empty passwords should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3660-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20244"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.8">
>              <xccdf:title xml:lang="en">Enable a Warning Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Section 2.3.7 contains information on how to create an
>            appropriate warning banner. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To enable a warning banner, add or correct the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Banner /etc/issue</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.8.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Enable a Warning Banner</xccdf:title>
>                <xccdf:description>SSH warning banner should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4431-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20245"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.9">
>              <xccdf:title xml:lang="en">Do Not Allow Users to Set Environment Options</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent users from being able to present environment options to the SSH daemon and potentially bypass
>            some access restrictions, add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            PermitUserEnvironment no
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.9.a" selected="false" weight="10">
>                <xccdf:title xml:lang="en">Do Not Allow Users to Set Environment Options</xccdf:title>
>                <xccdf:description>PermitUserEnvironment should be disabled</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202455"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.10">
>              <xccdf:title xml:lang="en">Use Only Approved Ciphers</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Limit the ciphers to those which are FIPS-approved and only use ciphers in counter (CTR) mode. The
>            following line demonstrates use of FIPS-approved ciphers in CTR mode:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Ciphers aes128-ctr,aes192-ctr,aes256-ctr<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The man page sshd_config(5) contains a list of the ciphers supported for the current release of the SSH daemon.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.5.2.10.a" selected="false" weight="10">
>                <xccdf:title xml:lang="en">Use Only Approved Ciphers</xccdf:title>
>                <xccdf:description>Use only FIPS approved ciphers not in CBC mode</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/ssh/sshd_config</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202456"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.5.2.11">
>              <xccdf:title xml:lang="en">Strengthen Firewall Configuration if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If the SSH server must only accept connections from the local
>            network, then strengthen the default firewall rule for the SSH service. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Determine an
>            appropriate network block, netwk, and network mask, mask, representing the machines on
>            your network which must be allowed to access this SSH server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the files
>            /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file,
>            locate the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and replace it with: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If your site uses IPv6, and you are editing ip6tables, use the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s ipv6netwk::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            instead because Netfilter does not yet reliably support stateful filtering for
>            IPv6. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See Section 2.5.5 for more information about Iptables configuration.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6">
>          <xccdf:title xml:lang="en">X Window System</xccdf:title>
>          <xccdf:description xml:lang="en">The X Window System implementation included with the system is called X.org.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1">
>            <xccdf:title xml:lang="en">Disable X Windows if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Unless there is a mission-critical reason for the machine to run
>          a GUI login screen, prevent X from starting automatically at boot. There is usually no
>          reason to run X Windows on a dedicated server machine, since administrators can login via
>          SSH or on the text console.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1.1">
>              <xccdf:title xml:lang="en">Disable X Windows at System Boot</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/inittab, and correct the line
>            id:5:initdefault: to: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            id:3:initdefault: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This action changes the default boot runlevel of
>            the system from 5 to 3. These two runlevels should be identical except that runlevel 5
>            starts X on boot, while runlevel 3 does not.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.6.1.1.a" operator="equals" type="number">
>                <xccdf:title>default boot level</xccdf:title>
>                <xccdf:description xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify whether to start in single user mode, text UI or graphical UI</xccdf:question>
>                <xccdf:value>5</xccdf:value>
>                <xccdf:value selector="multi-user-graphical">5</xccdf:value>
>                <xccdf:value selector="multi-user-text">3</xccdf:value>
>                <xccdf:value selector="single-user-text">1</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.6.1.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable X Windows at System Boot</xccdf:title>
>                <xccdf:description>X Windows should be disabled at system boot</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4462-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/inittab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20246" value-id="xccdf_cdf_value_var-3.6.1.1.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20246"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1.2">
>              <xccdf:title xml:lang="en">Remove X Windows from the System if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Remove the X11 RPMs from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum groupremove "X Window System" <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            As long as X.org remains installed on the system, users can still run X
>            Windows by typing startx at the shell prompt. This may run X Windows using configuration
>            settings which are less secure than the system defaults. Therefore, if the machine is a
>            dedicated server which does not need to provide graphical logins at all, it is safest to
>            remove the X.org software entirely. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The command given here will remove over 100
>            packages. It should safely and effectively remove X from machines which do not need it.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.6.1.2.a" selected="false" weight="10.0">
>                <xccdf:title>Remove X Windows from the System if Possible</xccdf:title>
>                <xccdf:description>X Windows should be removed</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4422-2</xccdf:ident>
>                <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>                <xccdf:fix># yum groupremove "X Window System"</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20247"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1.3">
>              <xccdf:title xml:lang="en">Lock Down X Windows startx Configuration if Necessary</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If X is not to be started at boot time but the software must
>            remain installed, users will be able to run X manually using the startx command. In some
>            cases, this runs X with a configuration which is less safe than the default. Follow
>            these instructions to mitigate risk from this configuration.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1.3.1">
>                <xccdf:title xml:lang="en">Disable X Font Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Disable the xfs helper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig xfs off <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The
>              system's X.org requires the X Font Server service (xfs) to function. The xfs service
>              will be started automatically if X.org is activated via startx. Therefore, it is safe
>              to prevent xfs from starting at boot when X is disabled, even if users are allowed to
>              run X manually.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.1.3.2">
>                <xccdf:title xml:lang="en">Disable X Window System Listening</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To prevent X.org from listening for remote connections,
>              create the file /etc/X11/xinit/xserverrc and fill it with the following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              exec X :0 -nolisten tcp $@ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              One of X.org's features is the ability to provide remote graphical
>              display. This feature should be disabled unless it is required. If the system uses
>              runlevel 5, which is the default, the GDM display manager starts X safely, with remote
>              listening disabled. However, if X is started from the command line with the startx
>              command, then the server will listen for new connections on X's default port, 6000.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              See the xinit(1), startx(1), and Xserver(1) man pages for more information.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.6.1.3.2.a" selected="false" severity="medium" weight="10.0">
>                  <xccdf:title>Disable X Window System Listening</xccdf:title>
>                  <xccdf:description>Disable the ability to provide remote graphical display</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4074-1</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/X11/xinit/xserverrc</xccdf:fixtext>
>                  <xccdf:fix>echo "exec X :0 -nolisten tcp $@" &gt; /etc/X11/xinit/xserverrc</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20248"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.2">
>            <xccdf:title xml:lang="en">Configure X Windows if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If there is a mission-critical reason for this machine to run a
>          GUI, improve the security of the default X configuration by following the guidance in this
>          section.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.6.2.1">
>              <xccdf:title xml:lang="en">Create Warning Banners for GUI Login Users</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/gdm/custom.conf. Locate the [greeter]
>            section, and correct that section to contain the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [greeter] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            InfoMsgFile=/etc/issue<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See Section 2.3.7 for an explanation of banner file use. This setting will cause the
>            system greeting banner to be displayed in a box prior to GUI login. If the default
>            banner font is inappropriate, it can be changed by specifying the InfoMsgFont directive
>            as well, for instance: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            InfoMsgFont=Sans 12</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.6.2.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Create Warning Banners for GUI Login Users</xccdf:title>
>                <xccdf:description>Enable warning banner for GUI login</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3717-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/gdm/custom.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20249"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7">
>          <xccdf:title xml:lang="en">Avahi Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Avahi daemon implements the DNS Service Discovery and Multicast
>        DNS protocols, which provide service and host discovery on a network. It allows a system to
>        automatically identify resources on the network, such as printers or web servers. This
>        capability is also known as mDNSresponder and is a major part of Zeroconf networking. By
>        default, it is enabled.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.1">
>            <xccdf:title xml:lang="en">Disable Avahi Server if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Because the Avahi daemon service keeps an open network port, it
>          is subject to network attacks. Disabling it is particularly important to reduce the
>          system's vulnerability to such attacks.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.1.1">
>              <xccdf:title xml:lang="en">Disable Avahi Server Software</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Issue the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig avahi-daemon off</xhtml:code></xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.1.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable Avahi Server Software</xccdf:title>
>                <xccdf:description>The avahi-daemon service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4365-3</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:fix># chkconfig avahi-daemon off</xccdf:fix>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20250"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.1.2">
>              <xccdf:title xml:lang="en">Remove Avahi Server iptables Firewall Exception</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the files /etc/sysconfig/iptables and
>            /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, inbound
>            connections to Avahi's port are allowed. If the Avahi server is not being used, this
>            exception should be removed from the firewall configuration. See Section 2.5.5 for more
>            information about the Iptables firewall.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2">
>            <xccdf:title xml:lang="en">Configure Avahi if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If your system requires the Avahi daemon, its configuration can
>          be restricted to improve security. The Avahi daemon configuration file is
>          /etc/avahi/avahi-daemon.conf. The following security recommendations should be applied to
>          this file. See the avahi-daemon.conf(5) man page or documentation at http://www.avahi.org
>          for more detailed information about the configuration options.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2.1">
>              <xccdf:title xml:lang="en">Serve Only via Required Protocol</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default setting in the configuration file allows Avahi to
>            use both IPv4 and IPv6 sockets. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If you are using only IPv4, edit
>            /etc/avahi/avahi-daemon.conf and ensure the following line exists in the [server]
>            section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            use-ipv6=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Similarly, if you are using only IPv6, disable IPv4 sockets with the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            use-ipv4=no</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.1.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Serve Only via Required Protocol</xccdf:title>
>                <xccdf:description>The Avahi daemon should be configured not to serve via Ipv6</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4136-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20251"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.1.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Serve Only via Required Protocol</xccdf:title>
>                <xccdf:description>The Avahi daemon should be configured not to serve via Ipv4</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4409-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20252"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2.2">
>              <xccdf:title xml:lang="en">Check Responses TTL Field '</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Avahi can be set to ignore IP packets unless their TTL field is
>            255. To make Avahi ignore packets unless the TTL field is 255, edit
>            /etc/avahi/avahi-daemon.conf and ensure the following line appears in the [server]
>            section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            check-response-ttl=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This helps to ensure that only mDNS responses from the
>            local network are processed, because the TTL field in a packet is decremented from its
>            initial value of 255 whenever it is routed from one network to another. Although a
>            properly-configured router or firewall should not allow mDNS packets into the local
>            network at all, this option provides another check to ensure they are not trusted.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.2.a" selected="false" weight="10.0">
>                <xccdf:title>Check Responses' TTL Field</xccdf:title>
>                <xccdf:description>Avahi should be configured to reject packets with a TTL field not equal to 255</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4426-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20253"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2.3">
>              <xccdf:title xml:lang="en">Prevent Other Programs from Using Avahis Port '</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Avahi can stop other mDNS stacks from running on the host by
>            preventing other processes from binding to port 5353. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To prevent other mDNS stacks from
>            running, edit /etc/avahi/avahi-daemon.conf and ensure the following line appears in the
>            [server] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            disallow-other-stacks=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This is designed to help ensure that only
>            Avahi is responsible for mDNS traffic coming from that port on the system.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.3.a" selected="false" weight="10.0">
>                <xccdf:title>Prevent Other Programs from Using Avahi's Port</xccdf:title>
>                <xccdf:description>Avahi should be configured to not allow other stacks from binding to port 5353</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4193-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20254"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2.4">
>              <xccdf:title xml:lang="en">Disable Publishing if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default setting in the configuration file allows the
>            avahi-daemon to send information about the local host, such as its address records and
>            the services it offers, to the local network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To stop sending this information but still
>            allow Avahi to query the network for services, ensure the configuration file includes
>            the following line in the [publish] section: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            disable-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This line may be
>            particularly useful if Avahi is needed for printer discovery, but not to advertise
>            services. This configuration is highly recommended for client systems that should not
>            advertise their services (or existence).</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.4.a" selected="false" weight="10.0">
>                <xccdf:title>Disable Publishing if Possible</xccdf:title>
>                <xccdf:description>Avahi publishing of local information should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4444-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20255"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.7.2.5">
>              <xccdf:title xml:lang="en">Restrict Published Information</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If it is necessary to publish some information to the network,
>            it should not be joined by any extraneous information, or by information supplied by a
>            non-trusted source on the system. Prevent user applications from using Avahi to publish
>            services by adding or correcting the following line in the [publish] section:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            disable-user-service-publishing=yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Implement as many of the following lines as
>            possible, to restrict the information published by Avahi: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            publish-addresses=no<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            publish-hinfo=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            publish-workstation=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            publish-domain=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Inspect the files in the
>            directory /etc/avahi/services/. Unless there is an operational need to publish
>            information about each of these services, delete the corresponding file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These options
>            should be used even if publishing is disabled entirely via disable-publishing, since
>            that option prevents publishing attempts from succeeding, while these options prevent
>            the attempts from being made in the first place. Using both approaches is recommended
>            for completeness.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.5.a" selected="false" weight="10.0">
>                <xccdf:title>Restrict disable-user-service-publishing</xccdf:title>
>                <xccdf:description>Avahi publishing of local information by user applications should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4352-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20256"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.5.b" selected="false" weight="10.0">
>                <xccdf:title>Restrict publish-addresses</xccdf:title>
>                <xccdf:description>Avahi publishing of hardware information should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4433-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20257"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.5.c" selected="false" weight="10.0">
>                <xccdf:title>Restrict publish-hinfo</xccdf:title>
>                <xccdf:description>Avahi publishing of workstation name should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4451-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20258"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.5.d" selected="false" weight="10.0">
>                <xccdf:title>Restrict publish-workstation</xccdf:title>
>                <xccdf:description>Avahi publishing of IP addresses should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4341-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20259"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.7.2.5.e" selected="false" weight="10.0">
>                <xccdf:title>Restrict publish-domain</xccdf:title>
>                <xccdf:description>Avahi publishing of domain name should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4358-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/avahi/avahi-daemon.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20260"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8">
>          <xccdf:title xml:lang="en">Print Support</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Common Unix Printing System (CUPS) service provides both local
>        and network printing support. A system running the CUPS service can accept print jobs from
>        other systems, process them, and send them to the appropriate printer. It also provides an
>        interface for remote administration through a web browser. The CUPS service is installed and
>        activated by default. The project homepage and more detailed documentation are available at
>        http://www.cups.org. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        The HP Linux Imaging and Printing service (HPLIP) is a separate package
>        that provides support for some of the additional features that HP printers provide that CUPS
>        may not necessarily support. It relies upon the CUPS service.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.1">
>            <xccdf:title xml:lang="en">Disable the CUPS Service if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Do you need the ability to print from this machine or to allow
>          others to print to it? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig cups off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable the CUPS Service if Possible</xccdf:title>
>              <xccdf:description>The cups service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4112-9</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig cups off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20261"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.2">
>            <xccdf:title xml:lang="en">Disable Firewall Access to Printing Service if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Does this system need to operate as a network print server? If
>          not, edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in
>          use). In each file, locate and delete the lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          By
>          default, inbound connections to the Internet Printing Protocol port are allowed. If the
>          print server does not need to be accessed, either because the machine is not running the
>          print service at all or because the machine is not providing a remote network printer to
>          other machines, this exception should be removed from the firewall configuration. See
>          Section 2.5.5 for more information about the Iptables firewall.</xccdf:description>
>            <xccdf:Value id="xccdf_cdf_value_var-3.8.2.a" operator="equals" type="string">
>              <xccdf:title>accept udp over IPv4</xccdf:title>
>              <xccdf:description xml:lang="en">Open firewall to allow udp over IPv4.</xccdf:description>
>              <xccdf:question xml:lang="en">Enable/Disable UDP over IPv4</xccdf:question>
>              <xccdf:value>disabled</xccdf:value>
>              <xccdf:value selector="enabled">enabled</xccdf:value>
>              <xccdf:value selector="disabled">disabled</xccdf:value>
>              <xccdf:match>enabled|disabled</xccdf:match>
>              <xccdf:choices mustMatch="1">
>                <xccdf:choice>enabled</xccdf:choice>
>                <xccdf:choice>disabled</xccdf:choice>
>              </xccdf:choices>
>            </xccdf:Value>
>            <xccdf:Value id="xccdf_cdf_value_var-3.8.2.b" operator="equals" type="string">
>              <xccdf:title>accept udp over IPv6</xccdf:title>
>              <xccdf:description xml:lang="en">Open firewall to allow udp over IPv6.</xccdf:description>
>              <xccdf:question xml:lang="en">Enable/Disable UDP over IPv6</xccdf:question>
>              <xccdf:value>disabled</xccdf:value>
>              <xccdf:value selector="enabled">enabled</xccdf:value>
>              <xccdf:value selector="disabled">disabled</xccdf:value>
>              <xccdf:match>enabled|disabled</xccdf:match>
>              <xccdf:choices mustMatch="1">
>                <xccdf:choice>enabled</xccdf:choice>
>                <xccdf:choice>disabled</xccdf:choice>
>              </xccdf:choices>
>            </xccdf:Value>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.2.a" selected="false" severity="high" weight="10.0">
>              <xccdf:title>Disable Firewall Access to Printing Service over IPv4 if Possible</xccdf:title>
>              <xccdf:description>Firewall access to printing service should be disabled</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3649-1</xccdf:ident>
>              <xccdf:fixtext>(1) via /etc/sysconfig/iptables</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20262" value-id="xccdf_cdf_value_var-3.8.2.a"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20262"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.2.b" selected="false" severity="high" weight="10.0">
>              <xccdf:title>Disable Firewall Access to Printing Service over IPv6 if Possible</xccdf:title>
>              <xccdf:description>Firewall access to printing service should be disabled</xccdf:description>
>              <xccdf:fixtext>(1) via /etc/sysconfig/ip6tables</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20263" value-id="xccdf_cdf_value_var-3.8.2.b"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20263"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3">
>            <xccdf:title xml:lang="en">Configure the CUPS Service if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          CUPS provides the ability to easily share local printers with
>          other machines over the network. It does this by allowing machines to share lists of
>          available printers. Additionally, each machine that runs the CUPS service can potentially
>          act as a print server. Whenever possible, the printer sharing and print server
>          capabilities of CUPS should be limited or disabled. The following recommendations should
>          demonstrate how to do just that.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.1">
>              <xccdf:title xml:lang="en">Limit Printer Browsing</xccdf:title>
>              <xccdf:description xml:lang="en">By default, CUPS listens on the network for printer list broadcasts on UDP port 631. This functionality is called printer browsing.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.1.1">
>                <xccdf:title xml:lang="en">Disable Printer Browsing Entirely if Possible</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To disable printer browsing entirely, edit the CUPS
>              configuration file, located at /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      			  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      			  Browsing Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/> 
>      			  BrowseAllow none <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      			  <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>      			  The
>              CUPS print service can be configured to broadcast a list of available printers to the
>              network. Other machines on the network, also running the CUPS print service, can be
>              configured to listen to these broadcasts and add and configure these printers for
>              immediate use. By disabling this browsing capability, the machine will no longer
>              generate or receive such broadcasts.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.3.1.1.a" selected="false" weight="10.0">
>                  <xccdf:title>Disable Printer Browsing Entirely if Possible</xccdf:title>
>                  <xccdf:description>Remote print browsing should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4420-6</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/cups/cupsd.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20264"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.3.1.1.b" selected="false" weight="10.0">
>                  <xccdf:title>Deny CUPS ability to listen for Incoming printer information</xccdf:title>
>                  <xccdf:description>CUPS should be denied the ability to listen for Incoming printer information</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4407-3</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/cups/cupsd.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20265"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.1.2">
>                <xccdf:title xml:lang="en">Limit Printer Browsing to a Particular Subnet if Necessary</xccdf:title>
>                <xccdf:description xml:lang="en">
>              It is possible to disable outgoing printer list broadcasts
>              without affecting incoming broadcasts from other machines. To do so, open the CUPS
>              configuration file, located at /etc/cups/cupsd.conf. Look for the line that begins
>              with BrowseAddress and remove it. The line will look like the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              BrowseAddress @LOCAL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the intent is not to block printer sharing, but to limit it to a particular
>              set of machines, you can limit the UDP printer broadcasts to trusted network
>              addresses. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              BrowseAddress ip-address :631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Likewise, to ignore incoming UDP printer list
>              broadcasts, or to limit the set of machines to listen to, use the BrowseAllow and
>              BrowseDeny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              BrowseDeny all <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              BrowseAllow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This combination will
>              deny incoming broadcasts from any machine except those that are explicitly allowed
>              with BrowseAllow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              By default, when printer sharing is enabled, CUPS will broadcast to
>              every network that its host machine is connected to through all available network
>              interfaces on port 631. It will also listen to incoming broadcasts from other machines
>              on the network. Either list one BrowseAddress line for each client machine and one
>              BrowseAllow line for each print server or use one of the supported shorthand notations
>              that the CUPS service recognizes. Please see the cupsd.conf(5) man page or the
>              documentation provided at http://www.cups.org for more information on other ways to
>              format these directives.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.2">
>              <xccdf:title xml:lang="en">Disable Print Server Capabilities if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent remote users from potentially
>            connecting to and using locally configured printers, disable the CUPS print server
>            sharing capabilities. To do so, limit how the server will listen for print jobs by
>            removing the more generic port directive from /etc/cups/cupsd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Port 631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and replacing it with the Listen directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Listen localhost:631 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This will prevent remote
>            users from printing to locally configured printers while still allowing local users on
>            the machine to print normally. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, locally configured printers will not be
>            shared over the network, but if this functionality has somehow been enabled, these
>            recommendations will disable it again. Be sure to disable outgoing printer list
>            broadcasts, or remote users will still be able to see the locally configured printers,
>            even if they cannot actually print to them. To limit print serving to a particular set
>            of users, use the Policy directive.</xccdf:description>
>              <xccdf:warning xml:lang="en">Disabling the print server capabilities in this manner will
>            also disable the Web Administration interface. </xccdf:warning>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.3">
>              <xccdf:title xml:lang="en">Limit Access to the Web Administration Interface</xccdf:title>
>              <xccdf:description xml:lang="en">
>            By default, access to the CUPS web administration interface is
>            limited to the local machine. It is recommended that this not be changed, especially
>            since the authentication mechanisms that CUPS provides are limited in their
>            effectiveness. If it is absolutely necessary to allow remote users to administer locally
>            installed printers, be sure to limit that access as much as possible by taking advantage
>            of the Location and Policy directive blocks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For example, to enable
>            remote access for ip-address for user username, modify each of the Location and Policy
>            directive blocks as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;Location /&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            AuthType Basic <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Require user username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Order allow,deny <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Allow localhost <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Allow ip-address <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;/Location&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            As with the
>            BrowseAllow directive, use one Allow directive for each machine that needs access or use
>            one of the available CUPS directive definition shortcuts to enable access from a class
>            of machines at once. The Require user directive can take a list of individual users, a
>            group of users (prefixed with @), or the shorthand valid-user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Host-based authentication has known limitations,
>            especially since IP addresses are easy to spoof. Requiring users to authenticate
>            themselves can alleviate this problem, but it cannot eliminate it. Do not use the root
>            account to manage and administer printers. Create a separate account for this purpose
>            and limit access to valid users with Require valid-user or Require user printeradmin .
>          </xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.3.4">
>              <xccdf:title xml:lang="en">Take Further Security Measures When Appropriate</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Whenever possible, limit outside networks' access to port 631.
>            Consider using CUPS directives that limit the number of incoming clients, such as
>            MaxClients or MaxClientsPerHost. Additionally, there are a series of Policy and Location
>            directives intended to limit which users can perform different printing tasks. When used
>            together, these may help to mitigate the possibility of a denial of service attack. See
>            cupsd.conf(5) for a full list of possible directives.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.4">
>            <xccdf:title xml:lang="en">The HP Linux Imaging and Printing (HPLIP) Toolkit</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The HPLIP package is an HP printing support utility that is
>          installed and enabled in a default installation. The HPLIP package is comprised of two
>          separate components. The first is the main HPLIP service and the second is a smaller
>          subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides
>          higher level printing support (such as bi-directional I/O, scanning, photo card, and
>          toolbox functionality). HPIJS is a lower level basic printing driver that provides basic
>          support for non-PostScript HP printers.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.8.4.1">
>              <xccdf:title xml:lang="en">Disable HPLIP Service if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Since the HPIJS driver will still function without the added
>            HPLIP service, HPLIP should be disabled unless the specific higher level functions that
>            HPLIP provides are needed by a non-PostScript HP printer on the system. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig hplip off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: If installing the HPLIP package from scratch, it should be noted that
>            HPIJS can be installed directly without HPLIP. Please see the FAQ at the HPLIP web site
>            at http://hplip.sourceforge.net/faqs.html for more information on how to do this.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.8.4.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable HPLIP Service if Possible</xccdf:title>
>                <xccdf:description>The hplip service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4425-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20266"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9">
>          <xccdf:title xml:lang="en">DHCP</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Dynamic Host Configuration Protocol (DHCP) allows systems to
>        request and obtain an IP address and many other parameters from a server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        In general, sites
>        use DHCP either to allow a large pool of mobile or unknown machines to share a limited
>        number of IP addresses, or to standardize installations by avoiding static, individual IP
>        address configuration on hosts. It is recommended that sites avoid DHCP as much as possible.
>        Since DHCP authentication is not well-supported, DHCP clients are open to attacks from rogue
>        DHCP servers. Such servers can give clients incorrect information (e.g. malicious DNS server
>        addresses) which could lead to their compromise. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        If a machine must act as a DHCP client or
>        server, configure it defensively using the guidance in this section. This guide recommends
>        configuring networking on clients by manually editing the appropriate files under
>        /etc/sysconfig. It is also possible to use the graphical front-end programs
>        system-config-network and system-config-network-tui, but these programs rewrite
>        configuration files from scratch based on their defaults â destroying any manual changes â
>        and should therefore be used with caution.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.1">
>            <xccdf:title xml:lang="en">Disable DHCP Client if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          For each interface IFACE on the system (e.g. eth0), edit
>          /etc/sysconfig/network-scripts/ifcfg-IFACE and make the following changes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Correct the BOOTPROTO line to read: <xhtml:br/>
>              <xhtml:br/>
>              BOOTPROTO=static
>            </xhtml:li><xhtml:li>Add or correct the following lines,
>              substituting the appropriate values based on your site's addressing scheme:<xhtml:br/>
>              <xhtml:br/>
>              NETMASK=255.255.255.0<xhtml:br/>
>              IPADDR=192.168.1.2<xhtml:br/>
>              GATEWAY=192.168.1.1 <xhtml:br/>
>            </xhtml:li></xhtml:ol>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          DHCP is the default network
>          configuration method provided by the system installer, so it may be enabled on many
>          systems.</xccdf:description>
>            <xccdf:Value id="xccdf_cdf_value_var-3.9.1.a" operator="equals" type="string">
>              <xccdf:title>DHCP BOOTPROTO</xccdf:title>
>              <xccdf:description xml:lang="en">If BOOTPROTO is not "static", then the only other item that must be set is the DEVICE item; all the rest will be determined by the boot protocol. No "dummy" entries need to be created.</xccdf:description>
>              <xccdf:question xml:lang="en">Choose DHCP BOOTPROTO</xccdf:question>
>              <xccdf:value>static</xccdf:value>
>              <xccdf:value selector="bootp">bootp</xccdf:value>
>              <xccdf:value selector="dhcp">dhcp</xccdf:value>
>              <xccdf:value selector="static">static</xccdf:value>
>              
>              <xccdf:choices>
>                <xccdf:choice>bootp</xccdf:choice>
>                <xccdf:choice>dhcp</xccdf:choice>
>                <xccdf:choice>static</xccdf:choice>
>              </xccdf:choices>
>            </xccdf:Value>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable DHCP Client if Possible</xccdf:title>
>              <xccdf:description>The dhcp client service should be disabled for each interface.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4191-3</xccdf:ident>
>              <xccdf:fixtext>(1) via /etc/sysconfig/network-scripts/ifcfg-eth*</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-export export-name="oval:org.open-scap.f14:var:20267" value-id="xccdf_cdf_value_var-3.9.1.a"/>
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20267"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.2">
>            <xccdf:title xml:lang="en">Configure DHCP Client if necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If DHCP must be used, then certain configuration changes can
>          minimize the amount of information it receives and applies from the network, and thus the
>          amount of incorrect information a rogue DHCP server could successfully distribute. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          For more information on configuring dhclient, see the dhclient(8) and dhclient.conf(5) 
>          man pages.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.2.1">
>              <xccdf:title xml:lang="en">Minimize the DHCP-Configured Options</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Create the file /etc/dhclient.conf, and add an appropriate
>            setting for each of the ten configuration settings which can be obtained via DHCP. For
>            each setting, setting , do one of the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>If the setting should not be
>                configured remotely by the DHCP server, select an appropriate static value, and add the
>                line: <xhtml:br/>
>                <xhtml:br/>
>                supersede setting value ; </xhtml:li><xhtml:li>If the setting should be configured remotely by the
>                DHCP server, add the lines: <xhtml:br/>
>                <xhtml:br/>
>                request setting ; <xhtml:br/>
>                require setting ; </xhtml:li></xhtml:ul>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For example, suppose the
>            DHCP server should provide only the IP address itself and the subnet mask. Then the
>            entire file should look like: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede domain-name "example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede domain-name-servers 192.168.1.2 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede nis-domain ""; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede nis-servers "";<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede ntp-servers "ntp.example.com "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede routers 192.168.1.1 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            supersede time-offset -18000 ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            request subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            require subnet-mask; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, the DHCP
>            client program, dhclient, requests and applies ten configuration options (in addition to
>            the IP address) from the DHCP server: subnet-mask, broadcast-address, time-offset,
>            routers, domain-name, domain-name-servers, host-name, nis-domain, nis-servers, and
>            ntp-servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Many of the options requested and applied by dhclient may be the same for
>            every system on a network. It is recommended that almost all configuration options be
>            assigned statically, and only options which must vary on a host-by-host basis be
>            assigned via DHCP. This limits the damage which can be done by a rogue DHCP server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If
>            appropriate for your site, it is also possible to supersede the host-name directive in
>            /etc/dhclient.conf, establishing a static hostname for the machine. However, dhclient
>            does not use the host name option provided by the DHCP server (instead using the value
>            provided by a reverse DNS lookup). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: In this example, the options nis-servers and
>            nis-domain are set to empty strings, on the assumption that the deprecated NIS protocol
>            is not in use. (See Section 3.2.4.) It is necessary to supersede settings for unused
>            services so that they cannot be set by a hostile DHCP server. If an option is set to an
>            empty string, dhclient will typically not attempt to configure the service.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.3">
>            <xccdf:title xml:lang="en">Disable DHCP Server if possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the dhcp package has been installed on a machine which does
>          not need to operate as a DHCP server, disable the daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dhcpd off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If possible, remove the software as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum erase dhcp <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The DHCP server dhcpd is not
>          installed or activated by default. If the software was installed and activated, but the
>          system does not need to act as a DHCP server, it should be disabled and removed. Unmanaged
>          DHCP servers will provide faulty information to clients, interfering with the operation of
>          a legitimate site DHCP server if there is one, or causing misconfigured machines to
>          exhibit unpredictable behavior if there is not.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.3.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable DHCP Server if possible</xccdf:title>
>              <xccdf:description>The dhcpd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4336-4</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:fix># chkconfig dhcpd off</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20268"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.3.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall DHCP Server if possible</xccdf:title>
>              <xccdf:description>The dhcp package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4464-4</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:fix># yum erase dhcp</xccdf:fix>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20269"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4">
>            <xccdf:title xml:lang="en">Configure the DHCP Server if necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the system must act as a DHCP server, the configuration
>          information it serves should be minimized. Also, support for other protocols and
>          DNS-updating schemes should be explicitly disabled unless needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The configuration file
>          for dhcpd is called /etc/dhcpd.conf. The file begins with a number of global configuration
>          options. The remainder of the file is divided into sections, one for each block of
>          addresses offered by dhcpd, each of which contains configuration options specific to that
>          address block.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.1">
>              <xccdf:title xml:lang="en">Do Not Use Dynamic DNS</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To prevent the DHCP server from receiving DNS information from
>            clients, edit /etc/dhcpd.conf, and add or correct the following global option:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ddns-update-style none; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Dynamic DNS protocol is used to remotely update the data
>            served by a DNS server. DHCP servers can use Dynamic DNS to publish information about
>            their clients. This setup carries security risks, and its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If Dynamic DNS must be used despite the risks it poses, it is critical that Dynamic DNS
>            transactions be protected using TSIG or some other cryptographic authentication
>            mechanism. See Section 3.14 for more information about DNS servers, including further
>            information about TSIG and Dynamic DNS. Also see dhcpd.conf(5) for more information
>            about protecting the DHCP server from passing along malicious DNS data from its clients.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: The ddns-update-style option controls only whether the DHCP server will attempt to
>            act as a Dynamic DNS client. As long as the DNS server itself is correctly configured to
>            reject DDNS attempts, an incorrect ddns-update-style setting on the client is harmless
>            (but should be fixed as a best practice).</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.1.a" selected="false" weight="10.0">
>                <xccdf:title>Do Not Use Dynamic DNS</xccdf:title>
>                <xccdf:description>The dynamic DNS feature of the DHCP server should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4257-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20270"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.2">
>              <xccdf:title xml:lang="en">Deny Decline Messages</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/dhcpd.conf and add or correct the following global
>            option to prevent the DHCP server from responding the DHCPDECLINE messages, if possible:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            deny declines; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The DHCPDECLINE message can be sent by a DHCP client to indicate that it
>            does not consider the lease offered by the server to be valid. By issuing many
>            DHCPDECLINE messages, a malicious client can exhaust the DHCP server's pool of IP
>            addresses, causing the DHCP server to forget old address allocations.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.2.a" selected="false" weight="10.0">
>                <xccdf:title>Deny Decline Messages</xccdf:title>
>                <xccdf:description>DHCPDECLINE messages should be denied by the DHCP server</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4403-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20271"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.3">
>              <xccdf:title xml:lang="en">Deny BOOTP Queries</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Unless your network needs to support older BOOTP clients,
>            disable support for the bootp protocol by adding or correcting the global option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            deny bootp; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The bootp option tells dhcpd to respond to BOOTP queries. If support for this
>            simpler protocol is not needed, it should be disabled to remove attack vectors against
>            the DHCP server.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.3.a" selected="false" weight="10.0">
>                <xccdf:title>Deny BOOTP Queries</xccdf:title>
>                <xccdf:description>BOOTP queries should be denied by the DHCP server</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4345-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20272"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.4">
>              <xccdf:title xml:lang="en">Minimize Served Information</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/dhcpd.conf. Examine each address range section within
>            the file, and ensure that the following options are not defined unless there is an
>            operational need to provide this information via DHCP: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option domain-name <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option domain-name-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option nis-domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option nis-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option ntp-servers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option routers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            option time-offset <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Because the configuration information provided by the DHCP
>            server could be maliciously provided to clients by a rogue DHCP server, the amount of
>            information provided via DHCP should be minimized. Remove these definitions from the
>            DHCP server configuration to ensure that legitimate clients do not unnecessarily rely on
>            DHCP for this information. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: By default, the RHEL5 client installation uses DHCP to
>            request much of the above information from the DHCP server. In particular, domain-name,
>            domain-name-servers, and routers are configured via DHCP. These settings are typically
>            necessary for proper network functionality, but are also usually static across machines
>            at a given site. See Section 3.9.2.1 for a description of how to configure static site
>            information within the DHCP client configuration.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.a" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send domain-name</xccdf:title>
>                <xccdf:description>Domain name server information should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3724-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20273"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.b" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send domain-name-servers</xccdf:title>
>                <xccdf:description>Default routers should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4243-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20274"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.c" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send nis-domain</xccdf:title>
>                <xccdf:description>Domain name should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4389-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20275"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.d" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send nis-servers</xccdf:title>
>                <xccdf:description>NIS domain should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3913-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20276"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.e" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send ntp-servers</xccdf:title>
>                <xccdf:description>NIS servers should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4169-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20277"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.f" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send routers</xccdf:title>
>                <xccdf:description>Time offset should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4318-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20278"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.4.g" selected="false" weight="10.0">
>                <xccdf:title>DHCP should not send time-offset</xccdf:title>
>                <xccdf:description>NTP servers should not be sent by the DHCP server.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4319-0</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dhcpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20279"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.5">
>              <xccdf:title xml:lang="en">Configure Logging</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Ensure that the following line exists in /etc/syslog.conf:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            daemon.* /var/log/daemon.log <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Configure logwatch or other log monitoring tools to
>            summarize error conditions reported by the dhcpd process. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, dhcpd logs notices
>            to the daemon facility. Sending all daemon messages to a dedicated log file is part of
>            the syslog configuration outlined in Section 2.6.1.1.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.9.4.5.a" selected="false" weight="10.0">
>                <xccdf:title>Configure DHCP Logging</xccdf:title>
>                <xccdf:description>dhcpd logging should be enabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3733-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/syslog.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20280"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.9.4.6">
>              <xccdf:title xml:lang="en">Further Resources</xccdf:title>
>              <xccdf:description xml:lang="en">* The man pages dhcpd.conf(5) and dhcpd(8) * ISC web page http://isc.org/products/DHCP</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10">
>          <xccdf:title xml:lang="en">Network Time Protocol</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Network Time Protocol is used to manage the system clock over a
>        network. Computer clocks are not very accurate, so time will drift unpredictably on
>        unmanaged systems. Central time protocols can be used both to ensure that time is consistent
>        among a network of machines, and that their time is consistent with the outside world. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Local time synchronization is recommended for all networks. If every machine on your network
>        reliably reports the same time as every other machine, then it is much easier to correlate
>        log messages in case of an attack. In addition, a number of cryptographic protocols (such as
>        Kerberos) use timestamps to prevent certain types of attacks. If your network does not have
>        synchronized time, these protocols may be unreliable or even unusable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Depending on the specifics of the network, global time accuracy may be just as important as 
>        local synchronization, or not very important at all. If your network is connected to the 
>        Internet, it is recommended that you make use of a public timeserver, since globally 
>        accurate timestamps may be necessary if you need to investigate or respond to an attack 
>        which originated outside of your network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        Whether or not you use an outside timeserver, configure
>        the network to have a small number of machines operating as NTP servers, and the remainder
>        obtaining time information from those internal servers.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.1">
>            <xccdf:title xml:lang="en">Select NTP Software</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The Network Time Protocol (RFC 1305) is designed to synchronize
>          time with a very high degree of accuracy even on an unreliable network. NTP is therefore a
>          complex protocol. The Simple Network Time Protocol (RFC 4330) implements a subset of NTP
>          which is intended to be good enough to meet the time requirements of most networks. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          The primary implementation of NTP comes from ntp.org, and is shipped with RHEL5 as the ntp
>          RPM. An alternative is OpenNTPD, which is an implementation of SNTP, and which can be
>          obtained as source code from http://www.openntpd.org. OpenNTPD may be simpler to configure
>          than the reference NTP implementation, at the cost of the need to install and maintain
>          third-party software. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          This guide does not recommend the use of a particular NTP/SNTP
>          software package, but does recommend that some NTP software be selected and installed on
>          all machines. The remainder of this section describes how to securely configure NTP
>          clients and servers, and discusses both the reference NTP implementation and OpenNTPD.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2">
>            <xccdf:title xml:lang="en">Configure Reference NTP if Appropriate</xccdf:title>
>            <xccdf:description xml:lang="en">The ntp RPM implements the reference NTP server.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.1">
>              <xccdf:title xml:lang="en">Configure an NTP Client</xccdf:title>
>              <xccdf:description xml:lang="en">
>            There are a number of options for conï¬guring clients to work with the reference NTP server. It is possible to run
>            ntpd as a service (i.e., continuously) on each host, conï¬guring clients so that the ntp protocol ignores all network
>            access. This still introduces an additional network listener on client machines, and is therefore not recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This guide instead recommends running ntpd periodically via cron. It is also possible to run ntpdate via cron
>            with the -u option, but it is being obsoleted in favor of ntpd.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Alternately, even if the server is running the reference NTP implementation, it is possible for clients to access it
>            using SNTP. See Section 3.10.3.2 for information about conï¬guring SNTP clients.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.1.1">
>                <xccdf:title xml:lang="en">Set Up Client NTP Conï¬guration File</xccdf:title>
>                <xccdf:description xml:lang="en">
>              A valid conï¬guration ï¬le for the client systemâs ntpd must exist at /etc/ntp.conf. Ensure that /etc/ntp.conf 
>              contains the following line, where ntp-server is the hostname or IP address of the site NTP server:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              server ntp-server<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: The ntpd software also includes authentication and encryption support which allows for clients to verify the
>              identity of the server, and thus guarantee the integrity of time data with high probability. See ntpd documentation
>              at http://www.ntp.org for more details on implementing this recommended feature.
>            </xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.1.2">
>                <xccdf:title xml:lang="en">Run ntpdate using Cron</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create a ï¬le /etc/cron.d/ntpd containing the following crontab:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              15 * * * * root /usr/sbin/ntpd -q -u ntp:ntp<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The -q option instructs ntpd to exit just after setting the clock, and the -u option instructs it to run as the
>              speciï¬ed user.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: When setting the clock for the ï¬rst time, execute the above command with the -g option, as ntpd
>              will refuse to set the clock if it is signiï¬cantly diï¬erent from the source.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This crontab will execute ntpd to synchronize the time to the NTP server at 15 minutes past every hour. (It is
>              possible to choose a diï¬erent minute, or to vary the minute between machines in order to avoid heavy traï¬c to
>              the NTP server.) Hourly synchronization should be suï¬ciently frequent that clock drift will not be noticeable.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.2">
>              <xccdf:title xml:lang="en">Configure an NTP Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The siteâs NTP server contacts a central NTP server, probably either one provided by your ISP or a public time
>            server, to obtain accurate time data. The server then allows other machines on your network to request the time
>            data.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The NTP server conï¬guration ï¬le is located at /etc/ntp.conf.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.2.1">
>                <xccdf:title xml:lang="en">Enable the NTP Daemon</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If this machine is an NTP server, ensure that ntpd is enabled
>              at boot time: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig ntpd on</xhtml:code></xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.2.2.1.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Enable the NTP Daemon</xccdf:title>
>                  <xccdf:description>The ntpd service should be enabled.</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4376-0</xccdf:ident>
>                  <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                  <xccdf:fix># chkconfig ntpd on</xccdf:fix>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20281"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.2.2">
>                <xccdf:title xml:lang="en">Deny All Access to ntpd by Default</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /etc/ntp.conf. Prepend or correct the following
>              line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              restrict default ignore <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Since ntpd is a complex software package which listens
>              for network connections and runs as root, it must be protected from network access by
>              unauthorized machines. This setting uses ntpd's internal authorization to deny all
>              access to any machine, server or client, which is not specifically authorized by other
>              policy settings.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.2.2.2.a" selected="false" weight="10.0">
>                  <xccdf:title>Deny All Access to ntpd by Default</xccdf:title>
>                  <xccdf:description>Network access to ntpd should be denied</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4134-3</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/ntp.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20282"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.2.3">
>                <xccdf:title xml:lang="en">Specify a Remote NTP Server for Time Data</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Find the IP address, server-ip , of an appropriate remote NTP
>              server. Edit the file /etc/ntp.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              restrict server-ip mask 255.255.255.255 nomodify notrap noquery <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              server server-ip <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If your site
>              does not require time data to be accurate, but merely to be synchronized among local
>              machines, this step can be omitted, and the NTP server will default to providing time
>              data from the local clock. However, it is a good idea to periodically synchronize the
>              clock to some source of accurate time, even if it is not appropriate to do so
>              automatically. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The previous step disabled all remote access to this NTP server's state
>              data. This NTP server must contact a remote server to obtain accurate data, so NTP's
>              configuration must allow that remote data to be used to modify the system clock. The
>              restrict line changes the default access permissions for that remote server. The
>              server line specifies the remote server as the preferred NTP server for time data. If
>              you intend to synchronize to more than one server, specify restrict and server lines
>              for each server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: It would be possible to specify a hostname, rather than an IP
>              address, for the server field. However, the restrict setting applies only to network
>              blocks of IP addresses, so it is considered more maintainable to use the IP address in
>              both fields.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.2.2.3.a" selected="false" weight="10.0">
>                  <xccdf:title>Specify a Remote NTP Server for Time Data</xccdf:title>
>                  <xccdf:description>A remote NTP Server for time synchronization should be specified</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4385-1</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/ntp.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20283"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.2.2.4">
>                <xccdf:title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Determine an appropriate network block, netwk , and network
>              mask, mask , representing the machines on your network which will synchronize to this
>              server. Edit /etc/ntp.conf and add the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              restrict netwk mask mask nomodify notrap<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears before
>              the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the clients are
>              spread across more than one netblock, separate restrict and ACCEPT lines should be
>              added for each netblock. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The iptables configuration is needed because the default
>              iptables configuration does not allow inbound access to any services. See Section
>              2.5.5 for more information about iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: The reference NTP implementation will
>              refuse to serve time data to clients until enough time has elapsed that the server
>              host's time can be assumed to have settled to an accurate value. While testing, wait
>              ten minutes after starting ntpd before attempting to synchronize clients.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3">
>            <xccdf:title xml:lang="en">Configure OpenNTPD if Appropriate</xccdf:title>
>            <xccdf:description xml:lang="en">
>          OpenNTPD is an implementation of the SNTP protocol which is
>          provided as a simple alternative to the reference NTP server. Advantages of OpenNTPD
>          include simplicity of configuration, built-in privilege separation and chroot jailing of
>          the NTP protocol code, and a small codebase which lacks many of the management and other
>          protocol features used by the reference NTP server. This simplicity comes at the cost of
>          degraded time accuracy, but SNTP is probably accurate enough for most sites with typical
>          monitoring requirements.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.1">
>              <xccdf:title xml:lang="en">Obtain NTP Software</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If your site intends to use the OpenNTPD implementation, it is
>            necessary to compile and install the software. (If your site intends to use the
>            reference NTP implementation, no installation is necessary.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Obtain the software by
>                downloading an appropriate source version, openntpd-version .tar.gz, from
>                http://www.openntpd.org/portable.html. </xhtml:li><xhtml:li>Unpack the source code: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code>$ tar xzf openntpd-version .tar.gz</xhtml:code> </xhtml:li><xhtml:li>Configure and compile the source. (By default, the code will
>                be compiled for installation into /usr/ local): <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code>$ cd openntpd-version <xhtml:br/>
>                $ ./configure --with-privsep-user=ntp <xhtml:br/>
>                $ make </xhtml:code></xhtml:li><xhtml:li>As root, install the resulting program into
>                /usr/local: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># make install </xhtml:code></xhtml:li></xhtml:ol>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The configuration option --with-privsep-user=ntp tells
>            OpenNTPD to use the existing system account ntp for the non-root portion of its
>            operation.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.3.1.a" selected="false" weight="10.0">
>                <xccdf:title>Obtain NTP Software</xccdf:title>
>                <xccdf:description>OpenNTPD should be installed</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4032-9</xccdf:ident>
>                <xccdf:fixtext>(1) via openntpd package</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20284"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.2">
>              <xccdf:title xml:lang="en">Configure an SNTP Client</xccdf:title>
>              <xccdf:description xml:lang="en">
>            OpenNTPD runs only in daemon mode â there is no command line
>            suitable to be run from cron. However, this is considered reasonably safe for client use
>            because the daemon does not listen on any network ports by default, and because OpenNTPD
>            is a small codebase with no remote management interface or other complex features.
>            However, it is possible to run a time-stepping program, such as rdate(1), from cron
>            instead of configuring the daemon as outlined in this section.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.2.1">
>                <xccdf:title xml:lang="en">Enable the NTP Daemon</xccdf:title>
>                <xccdf:description xml:lang="en">Edit the file /etc/rc.local. Add or correct the following line: /usr/local/sbin/ntpd -s</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.3.2.1.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Enable the NTP Daemon</xccdf:title>
>                  <xccdf:description>The ntp daemon should be enabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4424-8</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/rc.local</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20285"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.2.2">
>                <xccdf:title xml:lang="en">Configure the Client NTP Daemon to Use the Local Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /usr/local/etc/ntpd.conf. Add or correct the
>              following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              server local-server.example.com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              where local-server.example.com is the
>              hostname of the site's local NTP or SNTP server.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.10.3.2.2.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Configure the Client NTP Daemon to Use the Local Server</xccdf:title>
>                  <xccdf:description>The ntp daemon synchronization server should be set appropriately</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-3487-6</xccdf:ident>
>                  <xccdf:fixtext>(1) via /usr/local/etc/ntpd.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20286"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.3">
>              <xccdf:title xml:lang="en">Configure an SNTP Server</xccdf:title>
>              <xccdf:description xml:lang="en">The SNTP server obtains time data from a remote server, and then listens on a network interface for time queries from local machines.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.3.1">
>                <xccdf:title xml:lang="en">Enable the NTP Daemon</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /etc/rc.local. Add or correct the following
>              line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              /usr/local/sbin/ntpd -s <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Since OpenNTPD is third-party software, it does not have
>              a standard startup script, so the daemon is started at boot using the local facility.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.3.2">
>                <xccdf:title xml:lang="en">Listen for Client Connections</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /usr/local/etc/ntpd.conf. Add or correct the
>              following line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              listen on ipaddr <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              where ipaddr is the primary IP address of this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              By default, ntpd does not listen for any connections over a network. Listening
>              must be actively enabled on NTP servers so that clients may obtain time data.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.3.3">
>                <xccdf:title xml:lang="en">Allow Legitimate NTP Clients to Access the Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Determine an appropriate network block, netwk , and network
>              mask, mask , representing the machines on your network which will synchronize to this
>              server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears
>              before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The iptables configuration is needed because the default iptables configuration does
>              not allow inbound access to any services. See Section 2.5.5 for more information about
>              iptables.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.10.3.3.4">
>                <xccdf:title xml:lang="en">Specify a Remote NTP Server for Time Data</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Find the hostname, server-host , of an appropriate remote NTP
>              server. Edit the file /usr/local/etc/ ntpd.conf, and add or correct the following
>              line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              server server-host <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This setting configures ntpd to obtain time data from the
>              remote host. To use multiple time servers, add one line for each server.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11">
>          <xccdf:title xml:lang="en">Mail Transfer Agent</xccdf:title>
>          <xccdf:description xml:lang="en">
>        Mail servers are used to send and receive mail over a network on
>        behalf of site users. Mail is a very common service, and MTAs are frequent targets of
>        network attack. Ensure that machines are not running MTAs unnecessarily, and configure
>        needed MTAs as defensively as possible.</xccdf:description>
>          <xccdf:Rule id="xccdf_cdf_rule_rule-3.11.a" selected="false" severity="low" weight="10.0">
>            <xccdf:title>Mail Transfer Agent</xccdf:title>
>            <xccdf:description>The sendmail service should be disabled.</xccdf:description>
>            <xccdf:ident system="http://cce.mitre.org">CCE-4416-4</xccdf:ident>
>            <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>            <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>              <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20287"/>
>            </xccdf:check>
>          </xccdf:Rule>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.1">
>            <xccdf:title xml:lang="en">Select Mail Server Software and Configuration</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Select one of the following options for configuring e-mail on the
>          machine: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>If this machine does not need to operate as a mail server, follow the
>              instructions in Section 3.11.2 to run sendmail in submission-only mode.</xhtml:li><xhtml:li>If the machine
>              must operate as a mail server, read the strategies for MTA configuration in Section 3.11.3
>              for information about configuration options. Then apply both the MTA-independent operating
>              system configuration guidance in Section 3.11.4, and the specific guidance for your MTA:
>              <xhtml:ul><xhtml:li>If the Sendmail MTA is preferred, see Section 3.11.5. </xhtml:li><xhtml:li>If the Postfix MTA is preferred, see Section 3.11.6. </xhtml:li><xhtml:li>If another MTA is preferred, use that MTA's documentation to
>                  implement the ideas in Section 3.11.3. </xhtml:li></xhtml:ul>
>            </xhtml:li></xhtml:ul>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          It is recommended that very few machines at any
>          site be configured to receive mail over a network. However, it may be necessary for most
>          machines at a given site to send e-mail, for instance so that cron jobs can report output
>          to an administrator. Sendmail supports a submission-only mode in which mail can be sent
>          from the machine to a central site MTA, but the machine cannot receive mail over a
>          network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If a Mail Transfer Agent (MTA) is needed, the system default is Sendmail.
>          Postfix, a popular alternative written with security in mind, is also available. Postfix
>          can be more effectively contained by SELinux as its modular design has resulted in
>          separate processes performing specific actions. More information on these MTAs is
>          available from their respective websites, http://www.sendmail.org and
>          http://www.postfix.org.</xccdf:description>
>            <xccdf:reference>Hildebrandt, R., and Koetter, P. The Book of Postï¬x. No Starch Press, 2005</xccdf:reference>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.2">
>            <xccdf:title xml:lang="en">Configure SMTP For Mail Client</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This guide discusses the use of Sendmail for submission-only
>        e-mail configuration. It is also possible to use Postfix.</xccdf:description>
>            <xccdf:reference>Hunt, C. Sendmail Cookbook. OâReilly and Associates, 2003</xccdf:reference>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.2.1">
>              <xccdf:title xml:lang="en">Disable the Listening Sendmail Daemon</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysconfig/sendmail. Add or modify the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            DAEMON=no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The MTA performs two functions: listening over a network for incoming SMTP
>            e-mail requests, and sending mail from the local machine. Since outbound mail may be
>            delayed due to network outages or other problems, the outbound MTA runs in a queue-only
>            mode, in which it periodically attempts to resend any delayed mail. Setting DAEMON=no
>            tells sendmail to execute only the queue runner on this machine, and never to receive
>            SMTP mail requests.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.11.2.1.a" selected="false" weight="10.0">
>                <xccdf:title>Disable the Listening Sendmail Daemon</xccdf:title>
>                <xccdf:description>The listening sendmail daemon should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4293-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/sendmail</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20288"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.2.2">
>              <xccdf:title xml:lang="en">Configure Mail Submission if Appropriate</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If it is appropriate to configure mail submission with a
>            central MTA, edit /etc/mail/submit.cf. Locate the line beginning with D{MTAHost}, and
>            modify it to read: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            D{MTAHost}mailserver <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where mailserver is the hostname of the server
>            to which this machine should forward its outgoing mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This suggestion is provided as a
>            simple way to migrate away from a configuration in which each machine at a site runs its
>            own MTA, to a configuration in which client machines do not run listening daemons. If
>            this modification is made to /etc/mail/submit.cf, then, when a local process on a
>            machine attempts to send mail, the message will be forwarded to the machine mailserver
>            for processing. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Modifying /etc/mail/submit.cf directly is only appropriate if your site
>            does not perform any other mailserver customization on clients. If other customization
>            is done, use your usual Sendmail change procedure to define the MTA host. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: In
>            addition to making this change on the client, it may also be necessary to reconfigure
>            the MTA on mailserver so that it will relay mail on behalf of this host.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.3">
>            <xccdf:title xml:lang="en">Strategies for MTA Security</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This section discusses several types of MTA configuration which
>          should be performed in order to protect against attacks involving the mail system. Though
>          configuration syntax will differ depending on which MTA is in use (see Section 3.11.5 for
>          Sendmail configuration syntax and Section 3.11.6 for Postfix), these strategies are
>          generally advisable for any MTA, including ones not covered by this guide.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.3.1">
>              <xccdf:title xml:lang="en">Use Resource Limits to Mitigate Denial of Service</xccdf:title>
>              <xccdf:description xml:lang="en">
>            It is often desirable to constrain an attacker's ability to
>            consume a mail server's resources simply by sending otherwise valid mail at a high rate,
>            whether maliciously or accidentally. Relevant resource limits include con106 CHAPTER 3.
>            SERVICES straints on: the number of MTA daemons which may run at one time, the rate at
>            which incoming messages may be received, the size and complexity of each message, or the
>            amount of mail queue space which must remain free in order for mail to be delivered.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            That last parameter deserves additional explanation. Most MTAs require queue space for
>            temporary files in order to process existing messages in their queues. Therefore, if the
>            queue filesystem is allowed to fill completely in a denial of service, the MTA will not
>            be able to clear its own queue even when the malicious traffic has stopped. This will
>            delay recovery from an attack.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.3.2">
>              <xccdf:title xml:lang="en">Configure SMTP Greeting Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            When remote mail senders connect to the MTA on port 25, they
>            are greeted by an initial banner as part of the SMTP dialogue. This banner is necessary,
>            but it frequently gives away too much information, including the MTA software which is
>            in use, and sometimes also its version number. Remote mail senders do not need this
>            information in order to send mail, so the banner should be changed to reveal only the
>            hostname (which is already known and may be useful) and the word ESMTP, to indicate that
>            the modern SMTP protocol variant is supported.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.3.3">
>              <xccdf:title xml:lang="en">Control Mail Relaying</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The sending of Unsolicited Bulk E-mail, referred to variously
>            as UBE, UCE, or spam, is a major problem on the Internet today. The security
>            implications of spam are that it operates as a Denial of Service attack on legitimate
>            e-mail use. Strategies for fighting spam receipt at your site are complex and quickly
>            evolving, and thus far beyond the scope of this guide. The problem of relaying
>            unauthorized e-mail, however, can and should be addressed by any network-connected site.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Most MTAs perform two functions: to accept mail from remote sites on behalf of local
>            users, and to allow local users to send mail to remote sites. The former function is
>            relatively easy â mail whose recipient address is local can be assumed to be destined
>            for a local user. The latter function is more complex. Since it is typically considered
>            neither secure nor desirable for users to log in to the MTA host itself to send mail,
>            the MTA must be able to remotely accept mail addressed to anyone from the user's
>            workstation. If the MTA is running very old software or is configured poorly, it can be
>            possible for attackers to take advantage of this feature, using your MTA to relay their
>            spam from one remote site to another. This is undesirable for many reasons, not least
>            that your site will quickly be blacklisted as a spam source, leaving you unable to send
>            legitimate e-mail to your correspondents. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The simplest solution described in this guide
>            is to configure the MTA to relay mail only from the local site's address range, and some
>            variant on this is the default for most modern MTAs. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            That solution may be insufficient
>            for sites whose users need to send mail from remote machines, for instance while
>            travelling, as well as for sites where mail submission must be accepted from network
>            ranges which are not considered secure, either because authorized machines are unmanaged
>            or because it is possible to connect unauthorized machines to the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If remote or
>            mobile hosts are authorized to relay, or if local clients exist in insecure netblocks,
>            the SMTP AUTH protocol should be used to require mail senders to authenticate before
>            submitting messages. For better protection and to allow support for a wide range of
>            authentication mechanisms without sending passwords over a network in clear text, SMTP
>            AUTH transactions should be encrypted using SSL. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Another approach is to require mail to
>            be submitted on port 587, the designated Message Submission Port. Use of a separate port
>            allows the mail relay function to be entirely separated from the mail delivery function.
>            This may become a best practice in the future, but description of how to configure the
>            Message Submission Port is currently beyond the scope of this guide. See RFC 2476 for
>            information about this configuration.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4">
>            <xccdf:title xml:lang="en">Configure Operating System to Protect Mail Server</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The guidance in this section is appropriate for any host which is
>          operating as a site MTA, whether the mail server runs using Sendmail, Postfix, or some
>          other software.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.1">
>              <xccdf:title xml:lang="en">Use Separate Hosts for External and Internal Mail if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The mail server is a frequent target of network attack from the
>            outside. However, since all site users receive mail, the mail server must be open to
>            some connection from each inside users. It is strongly recommended that these functions
>            be separated, by having an externally visible mail server which processes all incoming
>            and outgoing mail, then forwards internal mail to a separate machine from which users
>            can access it.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.2">
>              <xccdf:title xml:lang="en">Protect the MTA Host from User Access</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The mail server contains privileged data belonging to all users
>            and performs a vital network function. Preventing users from logging into this server is
>            a precaution against privilege escalation or denial of service attacks which might
>            compromise the mail service. Take steps to ensure that only system administrators are
>            allowed shell access to the MTA host.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.3">
>              <xccdf:title xml:lang="en">Restrict Remote Access to the Mail Spool</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If users directly connect to this machine to receive mail,
>            ensure that there is a single, well-secured mechanism for access to the directory
>            /var/spool/mail (the directory /var/mail is a symlink to this). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Allowing unrestricted
>            access to /var/spool/mail can be dangerous, since this directory contains sensitive
>            information belonging to all users. Protocols such as NFS, which have an insecure
>            authorization mechanism by default, should be considered insufficient for these
>            purposes. See Section 3.17 for details on secure configuration of POP3 or IMAP, which
>            are the preferred ways to provide user access to mail.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.4">
>              <xccdf:title xml:lang="en">Configure iptables to Allow Access to the Mail Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/sysconfig/iptables. Add the following line, ensuring
>            that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default
>            Iptables configuration does not allow inbound access to the SMTP service. This
>            modification allows that access, while keeping other ports on the server in their
>            default protected state. See Section 2.5.5 for more information about Iptables.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.5">
>              <xccdf:title xml:lang="en">Verify System Logging and Log Permissions for Mail</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/syslog.conf. Add or correct the following
>            line if necessary (this is the default): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            mail.* -/var/log/maillog <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Run the following commands to ensure correct permissions on the mail log: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /var/log/maillog <xhtml:br/>
>            # chmod 600 /var/log/maillog <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The mail server logs contain a record of
>            every e-mail which is sent or received on the system, which is considered sensitive
>            information by most sites. It is necessary that these logs be collected for purposes of
>            debugging and statistics, but their contents should be protected from unauthorized
>            access.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.6">
>              <xccdf:title xml:lang="en">Configure SSL Certificates for Use with SMTP AUTH</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If SMTP AUTH is to be used (see Section 3.11.3.3 for a
>            description of possible anti-relaying mechanisms), the use of SSL to protect credentials
>            in transit is strongly recommended. There are also configurations for which it may be
>            desirable to encrypt all mail in transit from one MTA to another, though such
>            configurations are beyond the scope of this guide. In either event, the steps for
>            creating and installing an SSL certificate are independent of the MTA in use, and are
>            described here.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.6.1">
>                <xccdf:title xml:lang="en">Create an SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Note: This step must be performed on your CA system, not on
>              the MTA host itself. If you will have a commercial CA sign certificates, then this
>              step should be performed on a separate, physically secure system devoted to that
>              purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Generate a key pair for the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out mailserverkey.pem 2048 <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next,
>              generate a certificate signing request (CSR) for the CA to sign, making sure to supply
>              your mail server's fully qualified domain name as the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key mailserverkey.pem -out mailserver.csr <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next, the mail server CSR must be signed to
>              create the mail server certificate. You can either send the CSR to an established CA
>              or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To sign mailserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in mailserver.csr -out mailservercert.pem <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This step creates a private key,
>              mailserverkey.pem, and a public certificate, mailservercert.pem. The mail server will
>              use these to prove its identity by demonstrating that it has a certificate which has
>              been signed by a CA. Mail clients at your site should be willing to send their mail
>              only to a server they can authenticate.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.4.6.2">
>                <xccdf:title xml:lang="en">Install the SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create the PKI directory for mail certificates, if it does
>              not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/mail <xhtml:br/>
>              # chown root:root /etc/pki/tls/mail <xhtml:br/>
>              # chmod 755 /etc/pki/tls/mail <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Using removable media or some other secure transmission
>              format, install the files generated in the previous step onto the mail server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem</xhtml:li><xhtml:li>/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</xhtml:li></xhtml:ul>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
>              # chown root:root /etc/pki/tls/mail/servercert.pem <xhtml:br/>
>              # chmod 600 /etc/pki/tls/mail/serverkey.pem <xhtml:br/>
>              # chmod 644 /etc/pki/tls/mail/servercert.pem<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify that the CA's public certificate file has been installed as
>              /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
>              # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5">
>            <xccdf:title xml:lang="en">Configure Sendmail Server if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          When sendmail is configured to act as a server for incoming mail,
>          it listens on port 25 for connections, and responds to those connections using the
>          configuration in /etc/mail/sendmail.cf. This file has a somewhat opaque format, and
>          modifying it directly is generally not recommended. Instead, the following procedure
>          should be used to modify the sendmail configuration: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Install the sendmail-cf RPM, which
>              is required in order to compile a new configuration file: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># yum install sendmail-cf<xhtml:br/></xhtml:code></xhtml:li><xhtml:li>Edit the M4 source file /etc/mail/sendmail.mc as directed by the configuration step you
>              are applying. </xhtml:li><xhtml:li>Inside the directory /etc/mail/, use make to build the configuration
>              according to the Makefile provided by Sendmail: <xhtml:br/>
>              <xhtml:br/>
>              <xhtml:code># cd /etc/mail <xhtml:br/>
>              # make sendmail.cf</xhtml:code></xhtml:li></xhtml:ol></xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.1">
>              <xccdf:title xml:lang="en">Limit Denial of Service Attacks</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/mail/sendmail.mc, and add or correct the following
>            options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confMAX_DAEMON_CHILDREN',`40')dnl
>            define(`confCONNECTION_RATE_THROTTLE', `3 ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confMIN_FREE_BLOCKS',`20971520')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confMAX_HEADERS_LENGTH',`51200')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confMAX_MESSAGE_SIZE',`10485760')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confMAX_RCPTS_PER_MESSAGE',`100')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: The values given here are examples, and may need to be modified for any
>            particular site, especially one with high e-mail volume. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These configuration options
>            serve to make it more difficult for attackers to consume resources on the MTA host. (See
>            Section 3.11.3.1 for details on why this is done.) The MAX DAEMON CHILDREN option limits
>            the number of sendmail processes which may be deployed to handle incoming connections at
>            any one time, while CONNECTION RATE THROTTLE limits the number of connections per second
>            which each listener may receive. The MIN FREE BLOCKS option stops e-mail receipt when
>            the queue filesystem is close to full. The MAX HEADERS LENGTH (bytes), MAX MESSAGE SIZE
>            (bytes), and MAX RCPTS PER MESSAGE (distinct recipients) options place bounds on the
>            legal sizes of messages received via SMTP.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.2">
>              <xccdf:title xml:lang="en">Configure SMTP Greeting Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/mail/sendmail.mc, and add or correct the following
>            line, substituting an appropriate greeting string for $j : <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            define(`confSMTP_LOGIN_MSG', `$j ')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            and recompile sendmail's configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default greeting banner discloses
>            that the listening mail process is Sendmail rather than some other MTA, and also
>            provides the version number. See Section 2.3.7 for more about warning banners, and
>            Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Sendmail variable $j contains the hostname of the mail server, which may be an
>            appropriate greeting string for most environments.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.3">
>              <xccdf:title xml:lang="en">Control Mail Relaying</xccdf:title>
>              <xccdf:description xml:lang="en">
>            This guide will discuss two mechanisms for controlling mail
>            relaying in Sendmail. The /etc/mail/relay-domains file contains a list of hostnames that
>            are allowed to relay mail. Follow the guidance in Section 3.11.5.3.1 to configure
>            relaying for trusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If there are machines which must be allowed to relay
>            mail, but which cannot be trusted to relay unconditionally, configure SMTP AUTH with TLS
>            support using the guidance in Sections 3.11.5.3.2 and following.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.3.1">
>                <xccdf:title xml:lang="en">Configure Trusted Networks and Hosts</xccdf:title>
>                <xccdf:description xml:lang="en"><xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>If all machines which share a common domain or subdomain
>                  name may relay, then edit /etc/mail/ relay-domains, adding a line for each domain or
>                  subdomain, e.g.: <xhtml:br/>
>                  <xhtml:br/>
>                  example.com <xhtml:br/>
>                  trusted-subnet.school.edu <xhtml:br/>
>                  ... </xhtml:li><xhtml:li>If the machines which are
>                  allowed to relay must be specified on a per-host basis, then edit /etc/mail/
>                  relay-domains, adding a line for each such host: <xhtml:br/>
>                  <xhtml:br/>
>                  host1.example.com<xhtml:br/>
>                  host5.subnet.example.com <xhtml:br/>
>                  smtp.trusted-subnet.school.edu <xhtml:br/>
>                  <xhtml:br/>
>                  Then edit /etc/mail/sendmail.mc, add or correct the line: <xhtml:br/>
>                  <xhtml:br/>
>                  FEATURE(`relay_hosts_only')dnl <xhtml:br/>
>                  <xhtml:br/>
>                  and recompile sendmail's configuration. </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The file /etc/mail/relay-domains must contain only
>              the set of machines for which this MTA should unconditionally relay mail. This
>              configures both inbound and outbound relaying, that is, hosts mentioned in
>              relay-domains may send mail through the MTA, and the MTA will also accept inbound mail
>              addressed to such hosts. This is a trust relationship â if spammers gain access to
>              these machines, your site will effectively become an open relay. It is recommended
>              that only machines which are managed by you or by another trusted organization be
>              placed in relay-domains, and that users of all other machines be required to use SMTP
>              AUTH to send mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: The relay-domains file must be configured to contain either a
>              list of domains (in which case every host in each of those domains will be allowed to
>              relay) or a list of hosts (in which case each individual relaying host must be listed
>              and the sendmail.cf must be reconfigured to interpret the relay-domains file in the
>              desired way).</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.3.2">
>                <xccdf:title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</xccdf:title>
>                <xccdf:description xml:lang="en">
>              By default, Sendmail uses the Cyrus-SASL library to provide
>              authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To enable the use of SASL authentication for relaying, edit
>              /etc/mail/sendmail.mc and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              TRUST_AUTH_MECH(`LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confAUTH_MECHANISMS', `LOGIN PLAIN') <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Then edit /usr/lib/sasl2/Sendmail.conf and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The AUTH MECHANISMS configuration option tells sendmail to allow the
>              specified authentication mechanisms to be used during the SMTP dialogue. The two
>              listed mechanisms use SASL to test a password provided by the user. Since these
>              mechanisms transmit plaintext passwords, they should be protected using TLS as
>              described in the next section. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The TRUST AUTH MECH command tells sendmail that senders
>              who successfully authenticate using the specified mechanism may relay mail through
>              this MTA even if their addresses are not in relay-domains. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The file
>              /usr/lib/sasl/Sendmail.conf is the Cyrus-SASL configuration file for Sendmail. The
>              pwcheck method directive tells SASL how to find passwords. The simplest method,
>              described here, is to run a separate authentication daemon, saslauthd, which is able
>              to communicate with the system authentication service. On Red Hat, saslauthd uses PAM
>              by default, which should work in most cases. If you have a centralized authentication
>              system which does not work via PAM, look at the saslauthd(8) manpage to determine how
>              to configure saslauthd for your environment.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.5.3.3">
>                <xccdf:title xml:lang="en">Require TLS for SMTP AUTH</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/mail/sendmail.mc, add or correct the following
>              lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confAUTH_OPTIONS', `A p')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confCACERT_PATH', `/etc/pki/tls/CA')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confCACERT', `/etc/pki/tls/CA/cacert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confSERVER_CERT', `/etc/pki/tls/mail/servercert.pem')dnl<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              define(`confSERVER_KEY', `/etc/pki/tls/mail/serverkey.pem')dnl <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and recompile sendmail.cf. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              These options, combined with the previous settings, tell Sendmail to
>              protect all SMTP AUTH transactions using TLS. The first four options describe the
>              location of the necessary TLS certificate and key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The AUTH OPTIONS parameter
>              configures the SMTP AUTH dialogue. The A option is enabled by default, and simply says
>              that authentication is allowed if an appropriate mechanism can be found. The p option
>              tells Sendmail to protect against passive attacks. The PLAIN and LOGIN authentication
>              mechanisms, recommended by this guide for compatibility with PAM, send passwords in
>              the clear. (Cleartext password transmissions are vulnerable to passive attack.)
>              Therefore, if p is set, the SMTP daemon will not make the AUTH command available until
>              after the client has used the STARTTLS command to encrypt the session. If other
>              authentication mechanisms were enabled which did not send passwords in the clear, then
>              TLS would not necessarily be required.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6">
>            <xccdf:title xml:lang="en">Configure Postfix if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Postfix stores its configuration files in the directory
>          /etc/postfix by default. The primary configuration file is /etc/postfix/main.cf. Other
>          files will be introduced as needed.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.1">
>              <xccdf:title xml:lang="en">Limit Denial of Service Attacks</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/postfix/main.cf. Add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            default_process_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_client_connection_count_limit = 10<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_client_connection_rate_limit = 30 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            queue_minfree = 20971520 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            header_size_limit = 51200 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            message_size_limit = 10485760 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_recipient_limit = 100 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: The values given
>            here are examples, and may need to be modified for any particular site. By default, the
>            Postfix anvil process gathers mail receipt statistics. To get information about about
>            what connection rates are typical at your site, look in /var/log/maillog for lines with
>            the daemon name postfix/anvil. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These configuration options serve to make it more
>            difficult for attackers to consume resources on the MTA host. (See Section 3.11.3.1 for
>            details on why this is done.) The default process limit parameter controls how many
>            smtpd processes can exist at a time, while smtpd_client_connection_count_limit controls
>            the number of those which can be occupied by any one remote sender, and 
>            smtpd_client_connection_rate_limit controls the number of connections any one client 
>            can make per minute. By default, local hosts (those in mynetworks) are exempted from 
>            per-client rate limiting. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The queue_minfree parameter establishes a free space threshold, in order to
>            stop e-mail receipt before the queue filesystem is entirely full. The header_size_limit,
>            message_size_limit, and smtpd recipient limit parameters place bounds on the legal sizes
>            of messages received via SMTP.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.2">
>              <xccdf:title xml:lang="en">Configure SMTP Greeting Banner</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/postfix/main.cf, and add or correct the following
>            line, substituting some other wording for the banner information if you prefer:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_banner = $myhostname ESMTP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default greeting banner discloses that the
>            listening mail process is Postfix. See Section 2.3.7 for more about warning banners, and
>            Section 3.11.3.2 for strategies regarding SMTP greeting banners in particular.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.3">
>              <xccdf:title xml:lang="en">Control Mail Relaying</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Postfix's mail relay controls are implemented with the help of
>            the smtpd recipient restrictions option, which controls the restrictions placed on the
>            SMTP dialogue once the sender and recipient envelope addresses are known. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The guidance
>            in Sections 3.11.6.3.1â3.11.6.3.2 should be applied to all machines. If there are
>            machines which must be allowed to relay mail, but which cannot be trusted to relay
>            unconditionally, configure SMTP AUTH with SSL support using the guidance in Sections
>            3.11.6.3.3 and following.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.3.1">
>                <xccdf:title xml:lang="en">Configure Trusted Networks and Hosts</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/postfix/main.cf, and configure the contents of the
>              mynetworks variable in one of the following ways: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>If any machine in the subnet
>                  containing the MTA may be trusted to relay messages, add or correct the line:<xhtml:br/>
>                  <xhtml:br/>
>                  mynetworks_style = subnet </xhtml:li><xhtml:li>If only the MTA host itself is trusted to relay messages,
>                  add or correct: <xhtml:br/>
>                  <xhtml:br/>
>                  mynetworks_style = host </xhtml:li><xhtml:li>If the set of machines which can relay is
>                  more complicated, manually specify an entry for each netblock or IP address which is
>                  trusted to relay by setting the mynetworks variable directly: <xhtml:br/>
>                  <xhtml:br/>
>                  mynetworks = 10.0.0.0/16 , 192.168.1.0/24 , 127.0.0.1 </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The mynetworks variable must contain only the set of
>              machines for which this MTA should unconditionally relay mail. This is a trust
>              relationship â if spammers gain access to these machines, your site will effectively
>              become an open relay. It is recommended that only machines which are managed by you or
>              by another trusted organization be placed in mynetworks, and users of all other
>              machines be required to use SMTP AUTH to send mail.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.3.2">
>                <xccdf:title xml:lang="en">Allow Unlimited Relaying for Trusted Networks Only</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/postfix/main.cf, and add or correct the smtpd
>              recipient restrictions definition so that it contains at least:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              permit_mynetworks, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The full contents of smtpd recipient restrictions will vary by site, since this is a
>              common place to put spam restrictions and other site-specific options. The permit
>              mynetworks option allows all mail to be relayed from the machines in mynetworks. Then,
>              the reject unauth destination option denies all mail whose destination address is not
>              local, preventing any other machines from relaying. These two options should always
>              appear in this order, and should usually follow one another immediately unless SMTP
>              AUTH is used.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.3.3">
>                <xccdf:title xml:lang="en">Require SMTP AUTH Before Relaying from Untrusted Clients</xccdf:title>
>                <xccdf:description xml:lang="en">
>              SMTP authentication allows remote clients to relay mail
>              safely by requiring them to authenticate before submitting mail. Postfix's SMTP AUTH
>              uses an authentication library called SASL, which is not part of Postfix itself. This
>              section describes how to configure authentication using the Cyrus-SASL implementation.
>              See below for a discussion of other options. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To enable the use of SASL authentication,
>              edit /etc/postfix/main.cf and add or correct the following settings:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              smtpd_sasl_auth_enable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              smtpd_recipient_restrictions = <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              permit_mynetworks,<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              permit_sasl_authenticated, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              reject_unauth_destination, <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ...<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Then edit
>              /usr/lib/sasl/smtpd.conf and add or correct the following line with the correct
>              authentication mechanism for SASL to use: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              pwcheck_method: saslauthd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Enable the saslauthd daemon: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig saslauthd on <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Postfix can use either the Cyrus library or
>              Dovecot as a source for SASL authentication. If this host is running Dovecot for some
>              other reason, it is recommended that Dovecot's SASL support be used instead of running
>              the Cyrus code as well. See http://www.postfix.org/SASL README.html for instructions
>              on implementing that configuration, which is not described in this guide. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              In Postfix's
>              configuration, the directive smtpd sasl auth enable tells smtpd to allow the use of
>              the SMTP AUTH command during the SMTP dialogue, and to support that command by getting
>              authentication information from SASL. The smtpd recipient restrictions directive is
>              changed so that, if the client is not connecting from a trusted address, it is allowed
>              to attempt authentication (permit sasl authenticated) in order to relay mail. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The file
>              /usr/lib/sasl/smtpd.conf is the Cyrus-SASL configuration file. The pwcheck method
>              directive tells SASL how to find passwords. The simplest method, described above, is
>              to run a separate authentication daemon, saslauthd, which is able to communicate with
>              the system authentication system. On RHEL5, saslauthd uses PAM by default, which
>              should work in most cases. If you have a centralized authentication system which does
>              not work via PAM, look at the saslauthd(8) manpage to find out how to configure
>              saslauthd for your environment.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.11.6.4">
>              <xccdf:title xml:lang="en">Require TLS for SMTP AUTH</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/postfix/main.cf, and add or correct the following
>            lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_CApath = /etc/pki/tls/CA <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_CAfile = /etc/pki/tls/CA/cacert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_cert_file = /etc/pki/tls/mail/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_key_file = /etc/pki/tls/mail/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_security_level = may <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            smtpd_tls_auth_only = yes<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These options tell Postfix to protect all SMTP AUTH transactions using TLS. The first
>            four options describe the locations of the necessary TLS key files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The smtpd_tls_security_level directive tells smtpd to allow the STARTTLS command during the SMTP
>            protocol exchange, but not to require it for mail senders. (Unless your site receives
>            mail only from other trusted sites whose sysadmins can be asked to maintain a copy of
>            your site certificate, you do not want to require TLS for all SMTP exchanges.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The smtpd_tls_auth_only directive tells smtpd to require the STARTTLS command before allowing the
>            client to attempt to authenticate for relaying using SMTP AUTH. It may not be possible
>            to use this directive if you must allow relaying from non-TLS-capable client software.
>            If this is the case, simply omit that line.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12">
>          <xccdf:title xml:lang="en">LDAP</xccdf:title>
>          <xccdf:description xml:lang="en">
>        LDAP is a popular directory service, that is, a standardized way of
>        looking up information from a central database. It is relatively simple to configure a RHEL5
>        machine to obtain authentication information from an LDAP server. If your network uses LDAP
>        for authentication, be sure to configure both clients and servers securely.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.1">
>            <xccdf:title xml:lang="en">Use OpenLDAP to Provide LDAP Service if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The system's default LDAP client/server program is called
>          OpenLDAP. Its documentation is available at the project web page: http://www.openldap.org.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.2">
>            <xccdf:title xml:lang="en">Configure OpenLDAP Clients</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This guide recommends configuring OpenLDAP clients by manually
>          editing the appropriate configuration files. RHEL5 provides an automated configuration
>          tool called authconfig and a graphical wrapper for authconfig called
>          system-config-authentication. However, these tools do not give sufficient flexibility over
>          configuration. The authconfig tools do not allow you to specify locations of SSL
>          certificate files, which is useful when trying to use SSL cleanly across several
>          protocols. They are also overly aggressive in placing services such as netgroups and
>          automounter maps under LDAP control, where it is safer to use LDAP only for services to
>          which it is relevant in your environment.</xccdf:description>
>            <xccdf:warning xml:lang="en">Before configuring any machine to be an LDAP client, ensure that
>          a working LDAP server is present on the network. See Section 3.12.3 for instructions on
>          configuring an LDAP server. </xccdf:warning>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.2.1">
>              <xccdf:title xml:lang="en">Configure the Appropriate LDAP Parameters for the Domain</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Assume the fully qualified host name of your LDAP server is
>            ldap.example.com and the base DN of your domain is dc=example,dc=com (it is conventional
>            to use the domain name as a base DN). Edit /etc/ldap. conf, and add or correct the
>            following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            base dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            uri ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            BASE dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            URI ldap://ldap.example.com/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The machine whose hostname is given here must be
>            configured as an LDAP server, serving data identified by the base DN used here. See
>            Section 3.12.3 for details on configuring an LDAP server.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.2.2">
>              <xccdf:title xml:lang="en">Configure LDAP to Use TLS for All Transactions</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Ensure a copy of the site's CA certificate has been placed
>                in the file /etc/pki/tls/CA/cacert.pem. </xhtml:li><xhtml:li>Configure LDAP to enforce TLS use and to
>                trust certificates signed by the site's CA. First, edit the file /etc/ldap.conf, and add
>                or correct the following lines: <xhtml:br/>
>                <xhtml:br/>
>                ssl start_tls <xhtml:br/>
>                tls_checkpeer yes <xhtml:br/>
>                tls_cacertdir /etc/pki/tls/CA <xhtml:br/>
>                tls_cacertfile /etc/pki/tls/CA/cacert.pem <xhtml:br/>
>                <xhtml:br/>
>                Then edit /etc/openldap/ldap.conf, and add or correct the following lines: <xhtml:br/>
>                <xhtml:br/>
>                TLS_CACERTDIR /etc/pki/tls/CA <xhtml:br/>
>                TLS_CACERT /etc/pki/tls/CA/cacert.pem </xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Section 2.5.6 describes the
>            system-wide configuration of SSL for your enterprise. It is possible to place your
>            certificate information under some directory other than /etc/pki/tls, but using a
>            consistent directory structure across all SSL services at your site is recommended. The
>            LDAP server must be configured with a certificate signed by the CA certificate named
>            here.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.12.2.2.a" selected="false" weight="10.0">
>                <xccdf:title>Configure LDAP to Use TLS for All Transactions</xccdf:title>
>                <xccdf:description>Clients require LDAP servers to provide valid certificates for SSL communications.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/ldap.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:202885"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.2.3">
>              <xccdf:title xml:lang="en">Configure Authentication Services to Use OpenLDAP</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/ldap.conf, and add or correct the following
>            lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            pam_password md5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the file /etc/nsswitch.conf, and add or correct the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            passwd: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            shadow: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            group: files ldap <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the file
>            /etc/pam.d/system-auth-ac. Make the following changes, which will add references to LDAP
>            in each of the four sections of the file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Immediately before the last line in the auth
>                section (the one containing pam_deny.so), insert the line: <xhtml:br/>
>                <xhtml:br/>
>                auth sufficient pam_ldap.so use_first_pass </xhtml:li><xhtml:li>Modify the first line in the account section by adding the option
>                broken shadow. The line should then read: <xhtml:br/>
>                <xhtml:br/>
>                account required pam_unix.so broken_shadow </xhtml:li><xhtml:li>Immediately before the last line in the account section (the one containing pam
>                permit.so), insert the line: <xhtml:br/>
>                <xhtml:br/>
>                account [default=bad success=ok user_unknown=ignore] pam_ldap.so </xhtml:li><xhtml:li>Immediately before the last line in the password section (the one
>                containing pam_deny.so), insert the line: <xhtml:br/>
>                <xhtml:br/>
>                password sufficient pam_ldap.so use_authtok</xhtml:li><xhtml:li>At the end of the file (after the last line in the session section), append the line:<xhtml:br/>
>                <xhtml:br/>
>                session optional pam_ldap.so </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The first modification tells LDAP to expect passwords in
>            MD5 hash format, rather than clear text. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Red Hat systems use the file /etc/nsswitch.conf
>            to determine the appropriate sources to search for certain kinds of data, such as
>            usernames, groups, hostnames, netgroups, or protocols. It is possible to manage many
>            other types of data using LDAP, but this guide recommends that only usernames (passwd
>            data), passwords (shadow data), and groups (group data) be managed using LDAP. If your
>            site uses netgroups, it may be appropriate to manage these via LDAP as well. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However,
>            data which almost never changes, such as the contents of the /etc/services file, is a
>            poor choice for central administration, since it introduces risk with little benefit. It
>            is recommended that the automounter not be used at all, so LDAP control of automounter
>            maps is unlikely to be appropriate. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The file /etc/pam.d/system-auth-ac is used by PAM to
>            control access to most authenticated services. The syntax of the PAM configuration file
>            is somewhat cryptic. The lines recommended here have the combined effect of using LDAP
>            to find authentication data for users who cannot be found in the local /etc/passwd file.
>            This means that, for instance, it is still possible to use a local root password. The
>            details of options such as broken_shadow, use_authtok, and use_first_pass may be looked
>            up in the man pages for the various PAM modules. Their basic effect is to attempt to
>            authenticate given a password against both the local /etc/shadow and the central LDAP
>            server, without forcing the user to type the password more than once. PAM configuration
>            is discussed further in Section 2.3.3.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3">
>            <xccdf:title xml:lang="en">Configure OpenLDAP Server</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This section contains guidance on how to configure an OpenLDAP
>          server to securely provide information for use in a centralized authentication service.
>          This is not a comprehensive guide to maintaining an OpenLDAP server, but may be helpful in
>          transitioning to an OpenLDAP infrastructure nonetheless.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.1">
>              <xccdf:title xml:lang="en">Install OpenLDAP Server RPM</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is this machine the OpenLDAP server? If so: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install openldap-servers <xhtml:br/>
>            # chkconfig ldap on <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The openldap-servers RPM is not installed by
>            default on RHEL5 machines. It is needed only by the OpenLDAP server, not by the clients
>            which use LDAP for authentication.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.12.3.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable OpenLDAP service</xccdf:title>
>                <xccdf:description>The ldap service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3501-4</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20289"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.2">
>              <xccdf:title xml:lang="en">Configure Domain-Specific Parameters</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/openldap/slapd.conf. Add or correct the
>            following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            suffix "dc=example,dc=com " <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            rootdn "cn=Manager,dc=example,dc=com "<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where dc=example,dc=com is the same root you will use on the LDAP clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These are
>            basic LDAP configuration directives. The suffix parameter gives the root name of all
>            information served by this LDAP server, and should be some name related to your domain.
>            The rootdn parameter names LDAP's privileged user, who is allowed to read or write all
>            data managed by this LDAP server.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.3">
>              <xccdf:title xml:lang="en">Configure an LDAP Root Password</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Ensure that the configuration file has reasonable permissions
>            before putting the hashed root password in that file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/openldap/slapd.conf <xhtml:br/>
>            # chmod 640 /etc/openldap/slapd.conf <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Generate a hashed password using the slappasswd utility: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># slappasswd <xhtml:br/></xhtml:code>
>            New password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Re-enter new password: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This
>            will output a hashed password string. Edit the file /etc/openldap/slapd.conf, and add or
>            correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            rootpw {SSHA}hashed-password-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Be sure to select a secure
>            password for the LDAP root user, since this user has permission to read and write all
>            LDAP data, so a compromise of the LDAP root password will probably enable a full
>            compromise of your site. Protect configuration files containing the hashed password the
>            same way you would protect other files, such as /etc/shadow, which contain hashed
>            authentication data. In addition, be sure to use a reasonably strong hash function, such
>            as SHA-1, rather than an insecure scheme such as crypt.</xccdf:description>
>              <xccdf:description xml:lang="en">If you are using SHA-1, the hashed password string will begin with â{SHA}â or â{SSHA}â</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.4">
>              <xccdf:title xml:lang="en">Configure the LDAP Server to Require TLS for All Transactions</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Because LDAP queries and responses, particularly those
>            containing authentication information or other sensitive data, must be protected from
>            disclosure or modification while in transit over the network, this guide recommends
>            using SSL to protect all transactions. In order to do this, it is necessary to have a
>            site-wide SSL infrastructure in which a CA certificate is used to verify that other
>            certificates, such as that presented by the LDAP server to its clients, are authentic.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Therefore, this procedure involves using the CA system to create a certificate for the
>            LDAP server, then installing that certificate on the LDAP server and configuring slapd
>            to require its use. See Section 2.5.6 for details about the process of creating SSL
>            certificates for use by servers at your site.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.4.1">
>                <xccdf:title xml:lang="en">Create the Certificate for the LDAP Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Note: This step must be performed on the CA system, not on
>              the LDAP server itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Change into the CA certificate directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Generate a key pair for the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl genrsa -out ldapserverkey.pem 2048 <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next, generate a certificate signing request (CSR) for the CA to sign: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key ldapserverkey.pem -out ldapserver.csr <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Sign the ldapserver.csr request: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in ldapserver.csr -out ldapservercert.pem <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This step creates a private key, ldapserverkey.pem, and a public certificate,
>              ldapservercert.pem. The LDAP server will use these to prove its identity by
>              demonstrating that it has a certificate which has been signed by the site CA. LDAP
>              clients at your site should only be willing to accept authentication data from a
>              verified LDAP server.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.4.2">
>                <xccdf:title xml:lang="en">Install the Certificate on the LDAP Server</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create the PKI directory for LDAP certificates if it does not
>              already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/ldap <xhtml:br/>
>              # chown root:root /etc/pki/tls/ldap <xhtml:br/>
>              # chmod 755 /etc/pki/tls/ldap <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Using removable media or some other secure transmission format,
>              install the files generated in the previous step onto the LDAP server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>/etc/pki/tls/ldap/serverkey.pem: the private key ldapserverkey.pem</xhtml:li><xhtml:li>/etc/pki/tls/ldap/servercert.pem: the certificate file ldapservercert.pem </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify the ownership and permissions of these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:ldap /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
>              # chown root:ldap /etc/pki/tls/ldap/servercert.pem <xhtml:br/>
>              # chmod 640 /etc/pki/tls/ldap/serverkey.pem <xhtml:br/>
>              # chmod 640 /etc/pki/tls/ldap/servercert.pem<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify that the CA's public certificate file has been installed as
>              /etc/pki/tls/CA/cacert.pem, and has the correct permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/CA <xhtml:br/>
>              # chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
>              # chmod 644 /etc/pki/tls/CA/cacert.pem <xhtml:br/></xhtml:code>
>              As a
>              result of these steps, the LDAP server will have access to its own private certificate
>              and the key with which that certificate is encrypted, and to the public certificate
>              file belonging to the CA. Note that it would be possible for the key to be protected
>              further, so that processes running as ldap could not read it. If this were done, the
>              LDAP server process would need to be restarted manually whenever the server rebooted.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.4.3">
>                <xccdf:title xml:lang="en">Configure slapd to Use the Certificates</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit the file /etc/openldap/slapd.conf. Add or correct the
>              following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              TLSCACertificateFile /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              TLSCertificateFile /etc/pki/tls/ldap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              TLSCertificateKeyFile /etc/pki/tls/ldap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              security simple_bind=128 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The first set of lines tell slapd where to find the
>              appropriate SSL certificates to present to clients when they request an encrypted
>              transaction. The last setting tells slapd never to allow clients to present
>              credentials (i.e. passwords) in an unencrypted session. It is a good security
>              principle never to allow unencrypted passwords to traverse a network, so ensure that
>              LDAP mandates this.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5">
>              <xccdf:title xml:lang="en">Install Account Information into the LDAP Database</xccdf:title>
>              <xccdf:description xml:lang="en">
>            There are many ways to maintain an OpenLDAP database. Methods
>            include: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Input entries in ldif(5) format into a file /path/to/new entries , and use
>                slapadd to import those entries while slapd is not running: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># slapadd -l /path/to/new_entries </xhtml:code></xhtml:li><xhtml:li>Write a script to create and modify LDAP entries by connecting to the LDAP
>                server normally. The Perl Net::LDAP module is appropriate for this, there is a Python
>                API called python-ldap, and functionality is likely available for other scripting
>                languages as well. </xhtml:li><xhtml:li>Use an LDAP front-end program which provides an interface for
>                editing the database. If the front-end program is web-based or otherwise accessible over
>                a network, ensure that authentication information is protected via SSL between the
>                administrator's client and the program, as well as between the program and the LDAP
>                database. </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Any of these methods or others may be appropriate for your site. This guide
>            does not provide a recommendation, and there will be no further discussion of the syntax
>            of entering LDAP data into the database.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5.1">
>                <xccdf:title xml:lang="en">Create Top-level LDAP Structure for Domain</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create a structure for the domain itself with at least the
>              following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: dcObject <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: organization <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dc: example <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              o: Organization Description <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This is a placeholder for the
>              root of the domain's LDAP tree. Without this entry, LDAP will not be able to find any
>              other entries for the domain.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5.2">
>                <xccdf:title xml:lang="en">Create LDAP Structures for Users and Groups</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create LDAP structures for people (users) and for groups with
>              at least the following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ou: people<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              structuralObjectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ou: groups <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              structuralObjectClass: organizationalUnit<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: organizationalUnit <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Posix users and groups are the two top-level items
>              which will be needed in order to use LDAP for authentication. These organizational
>              units are used to identify the two categories within LDAP.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5.3">
>                <xccdf:title xml:lang="en">Create Unix Accounts</xccdf:title>
>                <xccdf:description xml:lang="en">
>              For each Unix user, create an LDAP entry with at least the
>              following attributes (others may be appropriate for your site as well), using variable
>              values appropriate to that user. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: uid=username ,ou=people,dc=example,dc=com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              structuralObjectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: inetOrgPerson <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: posixAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: shadowAccount <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              cn: fullname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              sn: surname <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gecos: fullname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gidNumber: primary-group-id <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              homeDirectory: /home/username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              loginShell: /path/to/shell<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uid: username <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uidNumber: uid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              userPassword: {MD5}md5-hashed-password <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If your site
>              implements password expiration in which passwords must be changed every N days (see
>              Section 2.3.1.7), then each entry should also have the attribute: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              shadowMax: N <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              In general, the LDAP schemas for users use uid to refer to the text username, and
>              uidNumber for the numeric UID. This usage may be slightly confusing when compared to
>              the standard Unix usage. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              You should not create entries for the root account or for
>              system accounts which are unique to individual systems, but only for user accounts
>              which are to be shared across machines, and which have authentication information
>              (such as a password) associated with them.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5.4">
>                <xccdf:title xml:lang="en">Create Unix Groups</xccdf:title>
>                <xccdf:description xml:lang="en">
>              For each Unix group, create an LDAP entry with at least the
>              following attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: cn=groupname ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              cn: groupname<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              structuralObjectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: posixGroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              gidNumber: gid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              memberUid: username1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              memberUid: username2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              memberUid: usernameN <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note that each user has a
>              primary group, identified by the gidNumber field in the user's account entry. That
>              group must be created, but it is not necessary to list the user as a memberUid of the
>              group. This behavior should be familiar to administrators, since it is identical to
>              the handling of the /etc/passwd and /etc/group files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Do not create entries for the
>              root group or for system groups, but only for groups which contain human users or
>              which are shared across systems.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.5.5">
>                <xccdf:title xml:lang="en">Create Groups to Administer LDAP</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If a group of LDAP administrators, admins , is desired, that
>              group must be created somewhat differently. The specification should have these
>              attributes: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              dn: cn=admins ,ou=groups,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              cn: admins<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              structuralObjectClass: groupOfUniqueNames <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              objectClass: groupOfUniqueNames<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uniqueMember: cn=Manager,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uniqueMember: uid=admin1-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uniqueMember: uid=admin2-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              uniqueMember: uid=adminN-username ,ou=people,dc=example,dc=com <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LDAP cannot use Posix groups for its own internal
>              authentication â it needs to compare the username specified in an authenticated bind
>              to some internal groupOfUniqueNames. If you do not specify an LDAP administrators'
>              group, then all LDAP management will need to be done using the LDAP root user
>              (Manager). For reasons of auditing and error detection, it is recommended that LDAP
>              administrators have unique identities. (See Section 2.3.1.3 for similar reasoning
>              applied to the use of sudo for privileged system commands.)</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.6">
>              <xccdf:title xml:lang="en">Configure slapd to Protect Authentication Information</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/openldap/slapd.conf. Add or correct the
>            following access specifications: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Protect the user's password by allowing the user
>                himself or the LDAP administrators to change it, allowing the anonymous user to
>                authenticate against it, and allowing no other access: <xhtml:br/>
>                <xhtml:br/>
>                access to attrs=userPassword <xhtml:br/>
>                by self write <xhtml:br/>
>                by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
>                by anonymous auth <xhtml:br/>
>                by * none <xhtml:br/>
>                access to attrs=shadowLastChange <xhtml:br/>
>                by self write <xhtml:br/>
>                by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
>                by * read</xhtml:li><xhtml:li>Allow anyone to read other
>                information, and allow the administrators to change it: <xhtml:br/>
>                <xhtml:br/>
>                access to * by<xhtml:br/>
>                group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write <xhtml:br/>
>                by * read </xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Access rules are applied in the order encountered, so more specific rules should
>            appear first. In particular, the rule restricting access to userPassword must appear
>            before the rule allowing access to all data. The shadowLastChange attribute is a
>            timestamp, and is only critical if your site implements password expiration. If your
>            site does not have an LDAP administrators group, the LDAP root user (called Manager in
>            this guide) will be able to change data without an explicit access statement.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.7">
>              <xccdf:title xml:lang="en">Correct Permissions on LDAP Server Files</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Correct the permissions on the ldap server's files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown ldap:root /var/lib/ldap/* <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Some manual methods of inserting information into the LDAP
>            database may leave these files with incorrect permissions. This will prevent slapd from
>            starting correctly.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.12.3.7.a" operator="equals" type="string">
>                <xccdf:title>group owner of ldap files</xccdf:title>
>                <xccdf:description xml:lang="en">Specify group owner of /var/lib/ldap/*.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify group owner of  /var/lib/ldap/*</xccdf:question>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.12.3.7.b" operator="equals" type="string">
>                <xccdf:title>user owner of ldap files</xccdf:title>
>                <xccdf:description xml:lang="en">Specify user owner of /var/lib/ldap/*.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify user owner of  /var/lib/ldap/*</xccdf:question>
>                <xccdf:value>ldap</xccdf:value>
>                <xccdf:value selector="ldap">ldap</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.12.3.7.a" selected="false" weight="10.0">
>                <xccdf:title>Correct Permissions on LDAP Server Files</xccdf:title>
>                <xccdf:description>The /var/lib/ldap/* files should be owned by the appropriate group.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4484-2</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20290" value-id="xccdf_cdf_value_var-3.12.3.7.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20290"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.12.3.7.b" selected="false" weight="10.0">
>                <xccdf:title>Correct Permissions on LDAP Server Files</xccdf:title>
>                <xccdf:description>The /var/lib/ldap/* files should be owned by the appropriate user.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4502-1</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20291" value-id="xccdf_cdf_value_var-3.12.3.7.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20291"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.8">
>              <xccdf:title xml:lang="en">Configure iptables to Allow Access to the LDAP Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Determine an appropriate network block, netwk , and network
>            mask, mask , representing the machines on your network which will synchronize to this
>            server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/sysconfig/iptables. Add the following lines, ensuring that they appear
>            before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 389 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 636 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default Iptables configuration does not allow inbound access to any services. These
>            modifications allow access to the LDAP primary (389) and encrypted-only (636) ports,
>            while keeping all other ports on the server in their default protected state. See
>            Section 2.5.5 for more information about Iptables. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: Even if the LDAP server
>            restricts connections so that only encrypted queries are allowed, it will probably be
>            necessary to allow traffic to the default port 389. This is true because many LDAP
>            clients implement encryption by connecting to the primary port and issuing the STARTTLS
>            command.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.12.3.9">
>              <xccdf:title xml:lang="en">Configure Logging for LDAP</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Edit the file /etc/syslog.conf. Add or correct the following line: <xhtml:br/>
>                <xhtml:br/>
>                local4.* /var/log/ldap.log </xhtml:li><xhtml:li>Create the log file with safe permissions: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># touch /var/log/ldap.log <xhtml:br/>
>                # chown root:root /var/log/ldap.log <xhtml:br/>
>                # chmod 0600 /var/log/ldap.log </xhtml:code></xhtml:li><xhtml:li>Edit the file /etc/logrotate.d/syslog and add the pathname <xhtml:br/>
>                <xhtml:br/>
>                /var/log/ldap.log <xhtml:br/>
>                <xhtml:br/>
>                to the space-separated list in the first line. </xhtml:li><xhtml:li>Edit the LDAP configuration file
>                /etc/openldap/slapd.conf and set a reasonable set of default log parameters, such as:<xhtml:br/>
>                <xhtml:br/>
>                loglevel stats2 </xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            OpenLDAP sends its log data to the syslog facility local4 at priority
>            debug. By default, RHEL5 does not store this facility at all. The syslog configuration
>            suggested here will store any output logged by slapd in the file /var/log/ldap.log, and
>            will include that file in the standard log rotation for syslog files. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By default, LDAP's
>            logging is quite verbose. The loglevel parameter is a space-separated list of items to
>            be logged. Specifying stats2 will reduce the log output somewhat, but this level will
>            still produce some logging every time an LDAP query is made. (This may be appropriate,
>            depending on your site's auditing requirements.) In order to capture only slapd startup
>            messages, specify loglevel none. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See slapd.conf(5) for detailed information about the
>            loglevel parameter. See Section 2.6.1 for more information about syslog.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13">
>          <xccdf:title xml:lang="en">NFS and RPC</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Network File System is the most popular distributed filesystem
>        for the Unix environment, and is very widely deployed. Unfortunately, NFS was not designed
>        with security in mind, and has a number of weaknesses, both in terms of the protocol itself
>        and because any NFS installation must expose several daemons, running on both servers and
>        clients, to network attack. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        This section discusses the circumstances under which it is
>        possible to disable NFS and its dependencies, and then details steps which should be taken
>        to secure, as much as possible, NFS's configuration. This section is relevant to machines
>        operating as NFS clients, as well as to those operating as NFS servers.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.1">
>            <xccdf:title xml:lang="en">Disable All NFS Services if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there a mission-critical reason for this machine to operate as
>          either an NFS client or an NFS server? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If not, follow all instructions in the remainder of
>          Section 3.13.1 to disable subsystems required by NFS. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          NFS is a commonly used mechanism for
>          sharing data between machines in an organization. However, its use opens many potential
>          security holes. If NFS is not universally needed in your organization, improve the
>          security posture of any machine which does not require NFS by disabling it entirely.</xccdf:description>
>            <xccdf:warning xml:lang="en">The steps in Section 3.13.1 will prevent a machine from operating
>          as either an NFS client or an NFS server. Only perform these steps on machines which do
>          not need NFS at all. </xccdf:warning>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.1.1">
>              <xccdf:title xml:lang="en">Disable Services Used Only by NFS</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If NFS is not needed, perform the following steps to disable
>            NFS client daemons: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfslock off <xhtml:br/>
>            # chkconfig rpcgssd off <xhtml:br/>
>              # chkconfig rpcidmapd off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            All of these daemons run with elevated privileges, and many listen for
>            network connections. If they are not needed, they should be disabled to improve system
>            security posture.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.1.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable nfslock</xccdf:title>
>                <xccdf:description>The nfslock service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4396-8</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20292"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.1.1.b" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable rpcgssd</xccdf:title>
>                <xccdf:description>The rpcgssd service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3535-2</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20293"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.1.1.c" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable rpcidmapd</xccdf:title>
>                <xccdf:description>The rpcidmapd service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3568-3</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20294"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.1.2">
>              <xccdf:title xml:lang="en">Disable netfs if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Determine whether any network filesystems handled by netfs are
>            mounted on this system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mount -t nfs,nfs4,smbfs,cifs,ncpfs <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If this command returns no output, disable netfs to improve system security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig netfs off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The netfs script
>            manages the boot-time mounting of several types of networked filesystems, of which NFS
>            and Samba (see Section 3.18) are the most common. If these filesystem types are not in
>            use, the script can be disabled, protecting the system somewhat against accidental or
>            malicious changes to /etc/fstab and against flaws in the netfs script itself.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.1.2.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable netfs if Possible</xccdf:title>
>                <xccdf:description>The netfs service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4533-6</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20295"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.1.3">
>              <xccdf:title xml:lang="en">Disable RPC Portmapper if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>NFS is not needed </xhtml:li><xhtml:li>The site does not rely on NIS for authentication information, and </xhtml:li><xhtml:li>The machine does not run any other RPC-based service</xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            then disable the RPC portmapper service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig portmap off <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            By design, the RPC
>            model does not require particular services to listen on fixed ports, but instead uses a
>            daemon, portmap, to tell prospective clients which ports to use to contact the services
>            they are trying to reach. This model weakens system security by introducing another
>            privileged daemon which may be directly attacked, and is unnecessary because RPC was
>            never adopted by enough services to risk using up all the ports on a system.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your
>            site is using any RPCbased services, including NFS, NIS (see Section 3.2.4 for
>            information about NIS, which is not recommended), or any third-party or custom RPC-based
>            program. If none of these programs are in use, however, portmap should be disabled to
>            improve system security. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In order to get more information about whether portmap may be
>            disabled on a given host, query the local portmapper using the command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># rpcinfo -p <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the only services listed are portmapper and status, it is safe to disable the
>            portmapper. If other services are listed and your site is not running NFS or NIS,
>            investigate these services and disable them if possible.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.1.3.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable RPC Portmapper if Possible</xccdf:title>
>                <xccdf:description>The portmap service should be disabled.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4550-0</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20296"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.2">
>            <xccdf:title xml:lang="en">Configure All Machines which Use NFS</xccdf:title>
>            <xccdf:description xml:lang="en">The steps in this section are appropriate for all machines which run NFS, whether they operate as clients or as servers.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.2.1">
>              <xccdf:title xml:lang="en">Make Each Machine a Client or a Server, not Both</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If NFS must be used, it should be deployed in the simplest
>            configuration possible to avoid maintainability problems which may lead to unnecessary
>            security exposure. Due to the reliability and security problems caused by NFS, it is not
>            a good idea for machines which act as NFS servers to also mount filesystems via NFS. At
>            the least, crossed mounts (the situation in which each of two servers mounts a
>            filesystem from the other) should never be used.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.2.2">
>              <xccdf:title xml:lang="en">Restrict Access to the Portmapper</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/hosts.deny. Add or correct the line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            portmap: ALL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the file /etc/hosts.allow. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            portmap: IPADDR1 , IPADDR2 , ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where each IPADDR is the IP address of a server or client with which this
>            machine shares NFS filesystems. If the machine is an NFS server, it may be simpler to
>            use an IP netblock specification, such as 10.3.2. (this is the TCP Wrappers syntax
>            representing the netblock 10.3.2.0/24), or a hostname specification, such as
>            .subdomain.example.com. The use of hostnames is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The /etc/hosts.allow
>            and /etc/hosts.deny files are used by TCP Wrappers to determine whether specified remote
>            hosts are allowed to access certain services. The default portmapper shipped with RHEL5
>            has TCP Wrappers support built in, so this specification can be used to provide some
>            protection against network attacks on the portmapper. (See Section 2.5.4 for more
>            information about TCP Wrappers.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: This step protects only the portmap service
>            itself. It is still possible for attackers to guess the port numbers of NFS services and
>            attack those services directly, even if they are denied access to the portmapper.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.2.3">
>              <xccdf:title xml:lang="en">Configure NFS Services to Use Fixed Ports</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysconfig/nfs. Add or correct the following
>            lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            LOCKD_TCPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            LOCKD_UDPPORT=lockd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            MOUNTD_PORT=mountd-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            RQUOTAD_PORT=rquotad-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            STATD_PORT=statd-port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            STATD_OUTGOING_PORT=statd-outgoing-port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where each X-port is a port which is not used by any other service on your network.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Firewalling should be done at each host and at the border firewalls to protect the NFS
>            daemons from remote access, since NFS servers should never be accessible from outside
>            the organization. However, by default, the portmapper assigns each NFS service to a port
>            dynamically at service startup time. Dynamic ports cannot be protected by port filtering
>            firewalls such as iptables (Section 2.5.5). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Therefore, restrict each service to always
>            use a given port, so that firewalling can be done effectively. Note that, because of the
>            way RPC is implemented, it is not possible to disable the portmapper even if ports are
>            assigned statically to all RPC services.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.a" selected="false" weight="10.0">
>                <xccdf:title>Configure lockd to Use Fixed Ports for TCP</xccdf:title>
>                <xccdf:description>The lockd service should be configured to use a static port for TCP</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4559-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20297"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.b" selected="false" weight="10.0">
>                <xccdf:title>Configure statd to Use an outgoing static port</xccdf:title>
>                <xccdf:description>The statd service should be configured to use an outgoing static port</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4015-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20298"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.c" selected="false" weight="10.0">
>                <xccdf:title>Configure statd to Use a static port</xccdf:title>
>                <xccdf:description>The statd service should be configured to use a static port</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3667-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20299"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.d" selected="false" weight="10.0">
>                <xccdf:title>Configure lockd to Use a static port for UDP</xccdf:title>
>                <xccdf:description>The lockd service should be configured to use a static port for UDP</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4310-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20300"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.e" selected="false" weight="10.0">
>                <xccdf:title>Configure mountd to Use a static port</xccdf:title>
>                <xccdf:description>The mountd service should be configured to use a static port</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4438-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20301"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.2.3.f" selected="false" weight="10.0">
>                <xccdf:title>Configure rquotad to Use Fixed Ports</xccdf:title>
>                <xccdf:description>The rquotad service should be configured to use a static port</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3579-0</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/sysconfig/nfs</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20302"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.3">
>            <xccdf:title xml:lang="en">Configure NFS Clients</xccdf:title>
>            <xccdf:description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS clients.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.3.1">
>              <xccdf:title xml:lang="en">Disable NFS Server Daemons</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig nfs off <xhtml:br/>
>            # chkconfig rpcsvcgssd off <xhtml:br/></xhtml:code><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            There is no need
>            to run the NFS server daemons except on a small number of properly secured machines
>            designated as NFS servers. Ensure that these daemons are turned off on clients.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.3.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable nfs service</xccdf:title>
>                <xccdf:description>The nfs service should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4473-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20303"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.3.1.b" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Disable rpcsvcgssd service</xccdf:title>
>                <xccdf:description>The rpcsvcgssd service should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4491-7</xccdf:ident>
>                <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20304"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.3.2">
>              <xccdf:title xml:lang="en">Mount Remote Filesystems with Restrictive Options</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/fstab. For each filesystem whose type
>            (column 3) is nfs or nfs4, add the text ,nodev,nosuid to the list of mount options in
>            column 4. If appropriate, also add ,noexec. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See Section 2.2.1.2 for a description of the
>            effects of these options. In general, execution of files mounted via NFS should be
>            considered risky because of the possibility that an adversary could intercept the
>            request and substitute a malicious file. Allowing setuid files to be executed from
>            remote servers is particularly risky, both for this reason and because it requires the
>            clients to extend root-level trust to the NFS server.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.3.2.a" selected="false" weight="10.0">
>                <xccdf:title>Mount Remote Filesystems with nodev</xccdf:title>
>                <xccdf:description>The nodev option should be enabled for all NFS mounts</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4368-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/fstab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20305"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.3.2.b" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Mount Remote Filesystems with nosuid</xccdf:title>
>                <xccdf:description>The nosuid option should be enabled for all NFS mounts</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4024-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/fstab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20306"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.3.2.c" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Mount Remote Filesystems with noexec</xccdf:title>
>                <xccdf:description>The noexec option should be enabled for all NFS mounts</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4526-0</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/fstab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20307"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4">
>            <xccdf:title xml:lang="en">Configure NFS Servers</xccdf:title>
>            <xccdf:description xml:lang="en">The steps in this section are appropriate for machines which operate as NFS servers.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.1">
>              <xccdf:title xml:lang="en">Configure the Exports File Restrictively</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Linux's NFS implementation uses the file /etc/exports to
>            control what filesystems and directories may be accessed via NFS. (See the exports(5)
>            manpage for more information about the format of this file.) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The syntax of the exports
>            file is not necessarily checked fully on reload, and syntax errors can leave your NFS
>            configuration more open than intended. Therefore, exercise caution when modifying the
>            file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The syntax of each line in /etc/exports is <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            /DIR ipaddr1 (opt1 ,opt2 ) ipaddr2 (opt3 ) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where /DIR is a directory or filesystem to export, ipaddrN is an IP address,
>            netblock, hostname, domain, or netgroup to which to export, and optN is an option.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.1.1">
>                <xccdf:title xml:lang="en">Use Access Lists to Enforce Authorization Restrictions on Mounts</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/exports. Ensure that each export line contains a
>              set of IP addresses or hosts which are allowed to access that export. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If no IP
>              addresses or hostnames are specified on an export line, then that export is available
>              to any remote host which requests it. All lines of the exports file should specify the
>              hosts (or subnets, if needed) which are allowed to access the exported directory, so
>              that unknown or remote hosts will be denied.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.1.2">
>                <xccdf:title xml:lang="en">Use Root-Squashing on All Exports</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/exports. Ensure that no line contains the option no_root_squash. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If a filesystem is exported using root squashing, requests from root on
>              the client are considered to be unprivileged (mapped to a user such as nobody). This
>              provides some mild protection against remote abuse of an NFS server. Root squashing is
>              enabled by default, and should not be disabled.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.4.1.2.a" selected="false" weight="10.0">
>                  <xccdf:title>Use Root-Squashing on All Exports</xccdf:title>
>                  <xccdf:description>Root squashing should be enabled for all NFS shares</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4544-3</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/exports</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20308"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.1.3">
>                <xccdf:title xml:lang="en">Restrict NFS Clients to Privileged Ports</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/exports. Ensure that no line contains the option insecure. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              By default, Linux's NFS implementation requires that all client requests be
>              made from ports less than 1024. If your organization has control over machines
>              connected to its network, and if NFS requests are prohibited at the border firewall,
>              this offers some protection against malicious requests from unprivileged users.
>              Therefore, the default should not be changed.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.4.1.3.a" selected="false" weight="10.0">
>                  <xccdf:title>Restrict NFS Clients to Privileged Ports</xccdf:title>
>                  <xccdf:description>Restriction of NFS clients to privileged ports should be enabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4465-1</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/exports</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20309"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.1.4">
>                <xccdf:title xml:lang="en">Export Filesystems Read-Only if Possible</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/exports. Ensure that every line contains the option
>              ro and does not contain the option rw, unless there is an operational need for remote
>              clients to modify that filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If a filesystem is being exported so that users can
>              view the files in a convenient fashion, but there is no need for users to edit those
>              files, exporting the filesystem read-only removes an attack vector against the server.
>              The default filesystem export mode is ro, so do not specify rw without a good reason.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.13.4.1.4.a" selected="false" weight="10.0">
>                  <xccdf:title>Export Filesystems Read-Only if Possible</xccdf:title>
>                  <xccdf:description>Write access to NFS shares should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4350-5</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/exports</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20310"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.13.4.2">
>              <xccdf:title xml:lang="en">Allow Legitimate NFS Clients to Access the Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Determine an appropriate network block, netwk , and network
>            mask, mask , representing the machines on your network which must mount NFS filesystems
>            from this server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/sysconfig/iptables. Add the following lines, ensuring that
>            they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 111 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2049 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport lockd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport mountd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport rquotad-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport rquotad-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport statd-port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport statd-port -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            where the variable port numbers match those selected in Section 3.13.2.3 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default iptables configuration does not allow inbound access to any services. This
>            modification will allow the specified block of remote hosts to initiate connections to
>            the set of NFS daemons, while keeping all other ports on the server in their default
>            protected state. See Section 2.5.5 for more information about iptables.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14">
>          <xccdf:title xml:lang="en">DNS Server</xccdf:title>
>          <xccdf:description xml:lang="en">Most organizations have an operational need to run at least one nameserver. However, there are many common attacks involving DNS, be configured defensively.</xccdf:description>
>          <xccdf:reference>Liu, C. DNS &amp; BIND Cookbook. OâReilly and Associates, Oct 2002</xccdf:reference>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.1">
>            <xccdf:title xml:lang="en">Disable DNS Server if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there an operational need for this machine to act as a DNS
>          server for this site? <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If not, disable the software and remove it from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig named off <xhtml:br/>
>          # yum erase bind <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          DNS software should be disabled on any machine which
>          does not need to be a nameserver. Note that the BIND DNS server software is not installed
>          on RHEL5 by default. The remainder of this section discusses secure configuration of
>          machines which must be nameservers.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable DNS Server if Possible</xccdf:title>
>              <xccdf:description>The named service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3578-2</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20311"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall bind if Possible</xccdf:title>
>              <xccdf:description>The bind package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4219-2</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20312"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.2">
>            <xccdf:title xml:lang="en">Run the BIND9 Software if DNS Service is Needed</xccdf:title>
>            <xccdf:description xml:lang="en">
>          It is highly recommended that the BIND9 software be used to
>          provide DNS service. BIND is the Internet standard Unix nameserver, and, while it has had
>          security problems in the past, it is also well-maintained and Red Hat is likely to quickly
>          issue updates in response to any problems discovered in the future. In addition, BIND
>          version 9 has new security features and more secure default settings than earlier
>          versions. In particular, BIND version 4 is no longer recommended for production use, and
>          BIND4 servers should be upgraded to a newer version as soon as possible.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.3">
>            <xccdf:title xml:lang="en">Isolate DNS from Other Services</xccdf:title>
>            <xccdf:description xml:lang="en">
>          This section discusses mechanisms for preventing the DNS server
>          from interfering with other services. This is done both to protect the remainder of the
>          network should a nameserver be compromised, and to make direct attacks on nameservers more
>          difficult.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.3.1">
>              <xccdf:title xml:lang="en">Run DNS Software on Dedicated Servers if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Since DNS is a high-risk service which must frequently be made
>            available to the entire Internet, it is strongly recommended that no other services be
>            offered by machines which act as organizational DNS servers.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.3.2">
>              <xccdf:title xml:lang="en">Run DNS Software in a chroot Jail</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Install the bind-chroot package: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install bind-chroot<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Place a valid named.conf file inside the chroot jail: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp /etc/named.conf /var/named/chroot/etc/named.conf <xhtml:br/>
>            # chown root:root /var/named/chroot/etc/named.conf <xhtml:br/>
>            # chmod 644 /var/named/chroot/etc/named.conf <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Create and populate an appropriate zone
>            directory within the jail, based on the options directive. If your named.conf includes:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            directory "/path/to/DIRNAME "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            then copy that directory and its contents from the original zone directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME<xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the file /etc/sysconfig/named. Add or correct the line: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ROOTDIR=/var/named/chroot<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Chroot jails are not foolproof. However, they serve to make it more difficult for a
>            compromised program to be used to attack the entire host. They do this by restricting a
>            program's ability to traverse the directory upward, so that files outside the jail are
>            not visible to the chrooted process. Since RHEL5 supports a standard mechanism for
>            placing BIND in a chroot jail, you should take advantage of this feature. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: If you
>            are running BIND in a chroot jail, then you should use the jailed named.conf as the
>            primary nameserver configuration file. That is, when this guide recommends editing
>            /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.14.3.2.a" operator="equals" type="string">
>                <xccdf:title>group owner of jail</xccdf:title>
>                <xccdf:description xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</xccdf:description>
>                <xccdf:question xml:lang="en">Specify group owner of /var/named/chroot/etc/named.conf</xccdf:question>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.14.3.2.b" operator="equals" type="string">
>                <xccdf:title>user owner of jail</xccdf:title>
>                <xccdf:description xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</xccdf:description>
>                <xccdf:question xml:lang="en">Specify user owner of /var/named/chroot/etc/named.conf</xccdf:question>
>                <xccdf:value>root</xccdf:value>
>                <xccdf:value selector="root">root</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.14.3.2.c" operator="equals" type="string">
>                <xccdf:title>permisison of jail</xccdf:title>
>                <xccdf:description xml:lang="en">Specify file permissions on /var/named/chroot/etc/named.conf</xccdf:description>
>                <xccdf:question xml:lang="en">Specify permissions of /var/named/chroot/etc/named.conf</xccdf:question>
>                <xccdf:value>110100100</xccdf:value>
>                <xccdf:value selector="400">100000000</xccdf:value>
>                <xccdf:value selector="644">110100100</xccdf:value>
>                <xccdf:value selector="700">111000000</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.3.2.a" selected="false" weight="10.0">
>                <xccdf:title>Run DNS Software in a chroot Jail owned by root group</xccdf:title>
>                <xccdf:description>The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3985-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20313" value-id="xccdf_cdf_value_var-3.14.3.2.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20313"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.3.2.b" selected="false" weight="10.0">
>                <xccdf:title>Run DNS Software in a chroot Jail owned by root user</xccdf:title>
>                <xccdf:description>The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4258-0</xccdf:ident>
>                <xccdf:fixtext>(1) via chown</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20314" value-id="xccdf_cdf_value_var-3.14.3.2.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20314"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.3.2.c" selected="false" weight="10.0">
>                <xccdf:title>Set permissions on chroot Jail for DNS</xccdf:title>
>                <xccdf:description>File permissions for /var/named/chroot/etc/named.conf should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4487-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20315" value-id="xccdf_cdf_value_var-3.14.3.2.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20315"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.3.3">
>              <xccdf:title xml:lang="en">Configure Firewalls to Protect the DNS Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysconfig/iptables. Add the following lines,
>            ensuring that they appear before the final LOG and DROP lines for the
>            RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These
>            lines are necessary in order to allow remote machines to contact the DNS server. If this
>            server is only available to the local network, it may be appropriate to insert a -s flag
>            into this rule to allow traffic only from packets on the local network. See Section
>            3.5.1.2 for an example of such a modification. See Section 2.5.5 for general information
>            about iptables.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4">
>            <xccdf:title xml:lang="en">Protect DNS Data from Tampering or Attack</xccdf:title>
>            <xccdf:description xml:lang="en">This section discusses DNS configuration options which make it more difficult for attackers to gain access to private DNS data or to modify DNS data.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4.1">
>              <xccdf:title xml:lang="en">Run Separate DNS Servers for External and Internal Queries if
>            Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is it possible to run external and internal nameservers on
>            separate machines? If so, follow the configuration guidance in this section. If not, see
>            Section 3.14.4.2 for an alternate approach using BIND9. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            On the external nameserver, edit /etc/named.conf. Add or correct the following 
>            directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow-query { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            On the internal nameserver, edit
>            /etc/named.conf. Add or correct the following directives, where SUBNET is the numerical
>            IP representation of your organization in the form xxx.xxx.xxx.xxx/xx: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            options { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow-query { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Enterprise nameservers generally serve two
>            functions. One is to provide public information about the machines in a domain for the
>            benefit of outside users who wish to contact those machines, for instance in order to
>            send mail to users in the enterprise, or to visit the enterprise's external web page.
>            The other is to provide nameservice to client machines within the enterprise. Client
>            machines require both private information about enterprise machines (which may be
>            different from the public information served to the rest of the world) and public
>            information about machines outside the enterprise, which is used to send mail or visit
>            websites outside of the organization. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In order to provide the public nameservice
>            function, it is necessary to share data with untrusted machines which request it â
>            otherwise, the enterprise cannot be conveniently contacted by outside users. However,
>            internal data should be protected from disclosure, and serving irrelevant public name
>            queries for outside domains leaves the DNS server open to cache poisoning and other
>            attacks. Therefore, local network nameservice functions should not be provided to
>            untrusted machines. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Separate machines should be used to fill these two functions whenever possible.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4.2">
>              <xccdf:title xml:lang="en">Use Views to Partition External and Internal Information if Necessary</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If it is not possible to run external and internal nameservers
>            on separate physical machines, run BIND9 and simulate this feature using views. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit
>            /etc/named.conf. Add or correct the following directives (where SUBNET is the numerical
>            IP representation of your organization in the form xxx.xxx.xxx.xxx/xx): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            acl internal {<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SUBNET ; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            localhost; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            view "internal-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            match-clients { internal; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "." IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            type hint; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            file "db.cache"; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "internal.example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            view "external-view" { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            match-clients { any; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            recursion no; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The view feature is provided by BIND9 as a way to allow a single nameserver to make
>            different sets of data available to different sets of clients. If possible, it is always
>            better to run external and internal nameservers on separate machines, so that even
>            complete compromise of the external server cannot be used to obtain internal data or
>            confuse internal DNS clients. However, this is not always feasible, and use of a feature
>            like views is preferable to leaving internal DNS data entirely unprotected. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: As
>            shown in the example, database files which are required for recursion, such as the root
>            hints file, must be available to any clients which are allowed to make recursive
>            queries. Under typical circumstances, this includes only the internal clients which are
>            allowed to use this server as a general-purpose nameserver.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4.3">
>              <xccdf:title xml:lang="en">Disable Zone Transfers from the Nameserver if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is it necessary for a secondary nameserver to receive zone data
>            via zone transfer from the primary server? If not, follow the instructions in this
>            section. If so, see the next section for instructions on protecting zone transfers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/named.conf. Add or correct the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            options { allow-transfer { none; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If both the primary and secondary nameserver are under your control, or
>            if you have only one nameserver, it may be possible to use an external configuration
>            management mechanism to distribute zone updates. In that case, it is not necessary to
>            allow zone transfers within BIND itself, so they should be disabled to avoid the
>            potential for abuse.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4.4">
>              <xccdf:title xml:lang="en">Authenticate Zone Transfers if Necessary</xccdf:title>
>              <xccdf:description xml:lang="en">
>            If it is necessary for a secondary nameserver to receive zone
>            data via zone transfer from the primary server, follow the instructions here. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Use dnssec-keygen to create a symmetric key file in the current directory: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /tmp <xhtml:br/>
>            # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com <xhtml:br/></xhtml:code>
>            Kdns.example.com .+aaa +iiiii<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            This output is the name of a file containing the new key. Read the file to find the
>            base64-encoded key string: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cat Kdns.example.com.+NNN+MMMMM.key <xhtml:br/></xhtml:code>
>            dns.example.com IN KEY 512 3 157 base64-key-string <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/named.conf on the primary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            type master; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow-transfer { key zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/named.conf on the secondary nameserver. Add the directives: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            key zone-transfer-key { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            algorithm hmac-md5; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            secret "base64-key-string "; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            server IP-OF-MASTER { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            keys { zone-transfer-key; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            type slave;<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            masters { IP-OF-MASTER ; }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            }; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The BIND transaction signature (TSIG) functionality
>            allows primary and secondary nameservers to use a shared secret to verify authorization
>            to perform zone transfers. This method is more secure than using IP-based limiting to
>            restrict nameserver access, since IP addresses can be easily spoofed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However, if you
>            cannot configure TSIG between your servers because, for instance, the secondary
>            nameserver is not under your control and its administrators are unwilling to configure
>            TSIG, you can configure an allow-transfer directive with numerical IP addresses or ACLs
>            as a last resort. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: The purpose of the dnssec-keygen command is to create the shared
>            secret string base64-key-string . Once this secret has been obtained and inserted into
>            named.conf on the primary and secondary servers, the key files 
>            Kdns.example.com.+NNN+MMMMM.key and Kdns.example.com.+NNN+MMMMM.private are no longer 
>            needed, and may safely be deleted.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.14.4.5">
>              <xccdf:title xml:lang="en">Disable Dynamic Updates if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is there a mission-critical reason to enable the risky dynamic
>            update functionality? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/named.conf. For each zone specification, correct
>            the following directive if necessary: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            zone "example.com " IN { <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow-update { none; };<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            } <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Dynamic updates allow remote servers to add, delete, or modify any entries in your
>            zone file. Therefore, they should be considered highly risky, and disabled unless there
>            is a very good reason for their use. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If dynamic updates must be allowed, IP-based ACLs
>            are insufficient protection, since they are easily spoofed. Instead, use TSIG keys (see
>            the previous section for an example), and consider using the update-policy directive to
>            restrict changes to only the precise type of change needed.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.14.4.5.a" selected="false" weight="10.0">
>                <xccdf:title>Disable DNS Dynamic Updates if Possible</xccdf:title>
>                <xccdf:description>LDAP's dynamic updates feature should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4399-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/named.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20316"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15">
>          <xccdf:title xml:lang="en">FTPServer</xccdf:title>
>          <xccdf:description xml:lang="en">
>        FTP is a common method for allowing remote access to files. Like
>        telnet, the FTP protocol is unencrypted, which means that passwords and other data
>        transmitted during the session can be captured and that the session is vulnerable to
>        hijacking. Therefore, running the FTP server software is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        However, there are
>        some FTP server configurations which may be appropriate for some environments, particularly
>        those which allow only read-only anonymous access as a means of downloading data available
>        to the public.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.1">
>            <xccdf:title xml:lang="en">Disable vsftpd if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Is there a mission-critical reason for the machine to act as an
>          FTP server? If not, disable vsftpd if it has been installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig vsftpd off</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable vsftpd if Possible</xccdf:title>
>              <xccdf:description>The vsftpd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3919-8</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20317"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.1.b" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Uninstall vsftpd if Possible</xccdf:title>
>              <xccdf:description>The vsftpd service should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3919-8</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:203175"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.2">
>            <xccdf:title xml:lang="en">Use vsftpd to Provide FTP Service if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If this machine must operate as an FTP server, install the vsftpd
>          package via the standard channels: <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install vsftpd</xhtml:code> After RHEL 2.1, Red Hat switched
>          from distributing wu-ftpd with RHEL to distributing vsftpd. For security and for
>          consistency with future Red Hat releases, the use of vsftpd is recommended.</xccdf:description>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3">
>            <xccdf:title xml:lang="en">Configure vsftpd Securely</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The primary vsftpd configuration file is /etc/vsftpd.conf, if
>          that file exists, or /etc/vsftpd/vsftpd.conf if it does not. For the remainder of this
>          section, the phrase 'the configuration file' will refer to whichever of those files is
>          appropriate for your environment.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.1">
>              <xccdf:title xml:lang="en">Enable Logging of All FTP Transactions</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the vsftpd configuration file. Add or correct the
>            following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            xferlog_std_format=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            log_ftp_protocol=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The
>            modifications above ensure that all commands sent to the ftp server are logged using the
>            verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: If
>            verbose logging to vsftpd.log is done, sparse logging of downloads to /var/log/xferlog
>            will not also occur. However, the information about what files were downloaded is
>            included in the information logged to vsftpd.log.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.3.1.a" selected="false" severity="low" weight="10.0">
>                <xccdf:title>Enable Logging of All FTP Transactions</xccdf:title>
>                <xccdf:description>Logging of vsftpd transactions should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4549-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/vsftpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20318"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.2">
>              <xccdf:title xml:lang="en">Create Warning Banners for All FTP Users</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the vsftpd configuration file. Add or correct the
>            following configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            banner_file=/etc/issue <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See Section 2.3.7 for an
>            explanation of banner file use. This setting will cause the system greeting banner to be
>            used for FTP connections as well.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.3.2.a" selected="false" weight="10.0">
>                <xccdf:title>Create Warning Banners for All FTP Users</xccdf:title>
>                <xccdf:description>A warning banner for all FTP users should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4554-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/vsftpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20319"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.3">
>              <xccdf:title xml:lang="en">Restrict the Set of Users Allowed to Access FTP</xccdf:title>
>              <xccdf:description xml:lang="en">
>            This section describes how to disable non-anonymous
>            (password-based) FTP logins, or, if it is not possible to do this entirely due to legacy
>            applications, how to restrict insecure FTP login to only those users who have an
>            identified need for this access.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.3.1">
>                <xccdf:title xml:lang="en">Restrict Access to Anonymous Users if Possible</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Is there a mission-critical reason for users to transfer
>              files to/from their own accounts using FTP, rather than using a secure protocol like
>              SCP/SFTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit the vsftpd configuration file. Add or correct the following
>              configuration option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              local_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If non-anonymous FTP logins are necessary,
>              follow the guidance in the remainder of this section to secure these logins as much as
>              possible. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The use of non-anonymous FTP logins is strongly discouraged. Since SSH
>              clients and servers are widely available, and since SSH provides support for a
>              transfer mode which resembles FTP in user interface, there is no good reason to allow
>              password-based FTP access. See Section 3.5 for more information about SSH.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.3.3.1.a" selected="false" severity="high" weight="10.0">
>                  <xccdf:title>Restrict Access to Anonymous Users if Possible</xccdf:title>
>                  <xccdf:description>Local user login to the vsftpd service should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4443-8</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/vsftpd.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20320"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.3.2">
>                <xccdf:title xml:lang="en">Limit Users Allowed FTP Access if Necessary</xccdf:title>
>                <xccdf:description xml:lang="en">
>              If there is a mission-critical reason for users to access
>              their accounts via the insecure FTP protocol, limit the set of users who are allowed
>              this access. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit the vsftpd configuration file. Add or correct the following
>              configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              userlist_enable=YES <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              userlist_file=/etc/vsftp.ftpusers<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              userlist_deny=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit the file /etc/vsftp.ftpusers. For each user USERNAME who should
>              be allowed to access the system via ftp, add a line containing that user's name.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              USERNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If anonymous access is also required, add the anonymous usernames to
>              /etc/vsftp.ftpusers as well: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              anonymous <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ftp <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Historically, the file /etc/ftpusers
>              contained a list of users who were not allowed to access the system via ftp. It was
>              used to prevent system users such as the root user from logging in via the insecure
>              ftp protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              However, when the configuration option userlist_deny=NO is set, vsftpd
>              interprets ftpusers as the set of users who are allowed to login via ftp. Since it
>              should be possible for most users to access their accounts via secure protocols, it is
>              recommended that this setting be used, so that non-anonymous ftp access can be limited
>              to legacy users who have been explicitly identified.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.4">
>              <xccdf:title xml:lang="en">Disable FTP Uploads if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Is there a mission-critical reason for users to upload files
>            via FTP? If not: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the vsftpd configuration file. Add or correct the following
>            configuration options: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            write_enable=NO <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If FTP uploads are necessary, follow the guidance
>            in the remainder of this section to secure these transactions as much as possible.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Anonymous FTP can be a convenient way to make files available for universal download.
>            However, it is less common to have a need to allow unauthenticated users to place files
>            on the FTP server. If this must be done, it is necessary to ensure that files cannot be
>            uploaded and downloaded from the same directory.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.15.3.4.a" selected="false" severity="medium" weight="10.0">
>                <xccdf:title>Disable FTP Uploads if Possible</xccdf:title>
>                <xccdf:description>File uploads via vsftpd should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4461-0</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/vsftpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20321"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.5">
>              <xccdf:title xml:lang="en">Place the FTP Home Directory on its Own Partition</xccdf:title>
>              <xccdf:description xml:lang="en">
>            By default, the anonymous FTP root is the home directory of the
>            ftp user account. The df command can be used to verify that this directory is on its own
>            partition. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If there is a mission-critical reason for anonymous users to upload files,
>            precautions must be taken to prevent these users from filling a disk used by other
>            services.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.15.3.6">
>              <xccdf:title xml:lang="en">Configure Firewalls to Protect the FTP Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit the file /etc/sysconfig/iptables. Add the following lines,
>            ensuring that they appear before the final LOG and DROP lines for the
>            RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit the file /etc/sysconfig/iptables-config. Ensure that the space-separated
>            list of modules contains the FTP connection tracking module:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            IPTABLES_MODULES="ip_conntrack_ftp" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            These settings configure iptables to allow
>            connections to an FTP server. The first line allows initial connections to the FTP
>            server port. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            FTP is an older protocol which is not very compatible with firewalls.
>            During the initial FTP dialogue, the client and server negotiate an arbitrary port to be
>            used for data transfer. The ip conntrack ftp module is used by iptables to listen to
>            that dialogue and allow connections to the data ports which FTP negotiates. This allows
>            an FTP server to operate on a machine which is running a firewall.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16">
>          <xccdf:title xml:lang="en">Web Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The web server is responsible for providing access to content via
>        the HTTP protocol. Web servers represent a significant security risk because: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The HTTP port is commonly probed by malicious sources </xhtml:li><xhtml:li>Web server software is very complex, and includes a long history of vulnerabilities </xhtml:li><xhtml:li>The HTTP protocol is unencrypted and vulnerable to passive monitoring </xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>        The system's default web server software is Apache 2 and is provided
>        in the RPM package httpd.</xccdf:description>
>          <xccdf:reference>Ristic, I. Apache Security. OâReilly and Associates, Mar 2005</xccdf:reference>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.1">
>            <xccdf:title xml:lang="en">Disable Apache if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If Apache was installed and activated, but the system does not
>          need to act as a web server, then it should be disabled and removed from the system: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig httpd off <xhtml:br/>
>          # yum erase httpd</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable Apache if Possible</xccdf:title>
>              <xccdf:description>The httpd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4338-0</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20322"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall Apache if Possible</xccdf:title>
>              <xccdf:description>The httpd package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4514-6</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20323"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.2">
>            <xccdf:title xml:lang="en">Install Apache if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the Apache web server must be run, follow these guidelines to
>          install it defensively. Then follow the guidelines in the remainder of Section 3.16 to
>          configure the web server machine and software as securely as possible.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.2.1">
>              <xccdf:title xml:lang="en">Install Apache Software Safely</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Install the Apache 2 package from the standard Red Hat
>            distribution channel: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install httpd <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: This method of installation is
>            recommended over installing the 'Web Server' package group during the system
>            installation process. The Web Server package group includes many packages which are
>            likely extraneous, while the command-line method installs only the required httpd
>            package itself.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.2.2">
>              <xccdf:title xml:lang="en">Confirm Minimal Built-in Modules</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default Apache installation minimizes the number of modules
>            that are compiled directly into the binary (core prefork http core mod so). This
>            minimizes risk by limiting the capabilities allowed by the webserver. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Query the set of compiled-in modules using the following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">$ httpd -l <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the number of compiled-in
>            modules is significantly larger than the aforementioned set, this guide recommends
>            reinstallating Apache with a reduced configuration.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3">
>            <xccdf:title xml:lang="en">Secure the Apache Configuration</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The Apache configuration file is /etc/httpd/conf/httpd.conf.
>          Apply the recommendations in the remainder of this section to this file.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.1">
>              <xccdf:title xml:lang="en">Restrict Information Leakage</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The ServerTokens and ServerSignature directives determine how
>            much information the web server discloses about the configuration of the system.
>            ServerTokens Prod restricts information in page headers, returning only the word
>            'Apache.' ServerSignature Off keeps Apache from displaying the server version on error
>            pages. It is a good security practice to limit the information provided to clients. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Add
>            or correct the following directives in /etc/httpd/conf/httpd.conf so that as little
>            information as possible is released: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ServerTokens Prod <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ServerSignature Off</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.3.1.a" operator="equals" type="string">
>                <xccdf:title>value of ServerTokens</xccdf:title>
>                <xccdf:description xml:lang="en">Tells apache to only return Apache in the Server header, returned on every page request.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify restrictions of of provided information in page headers for web server</xccdf:question>
>                <xccdf:value>Prod</xccdf:value>
>                <xccdf:value selector="prod">Prod</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.3.1.b" operator="equals" type="string">
>                <xccdf:title>value of ServerSignature</xccdf:title>
>                <xccdf:description xml:lang="en">Tells apache not to display the server version on error pages, or other pages it generates.</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable Apache displaying the server version on error pages</xccdf:question>
>                <xccdf:value>Off</xccdf:value>
>                <xccdf:value selector="off">Off</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.3.1.a" selected="false" weight="10.0">
>                <xccdf:title>Restrict Information Leakageusing ServerTokens</xccdf:title>
>                <xccdf:description>The apache2 server's ServerTokens value should be set appropriately</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4474-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/httpd/conf/httpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20324" value-id="xccdf_cdf_value_var-3.16.3.1.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20324"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.3.1.b" selected="false" weight="10.0">
>                <xccdf:title>Restrict Information Leakage using ServerSignature</xccdf:title>
>                <xccdf:description>The apache2 server's ServerSignature value should be set appropriately</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3756-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/httpd/conf/httpd.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20325" value-id="xccdf_cdf_value_var-3.16.3.1.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20325"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2">
>              <xccdf:title xml:lang="en">Minimize Loadable Modules</xccdf:title>
>              <xccdf:description xml:lang="en">
>            A default installation of Apache includes a plethora of
>            'dynamically shared objects' (DSO) that are loaded at run-time. Unlike the
>            aforementioned 'compiled-in' modules, a DSO can be disabled in the configuration file by
>            removing the corresponding LoadModule directive. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: A DSO only provides additional
>            functionality if associated directives are included in the Apache configuration file. It
>            should also be noted that removing a DSO will produce errors on Apache startup if the
>            configuration file contains directives that apply to that module. Refer to
>            http://httpd.apache.org/docs/ for details on which directives are associated with each
>            DSO. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Follow each DSO removal, the configuration can be tested with the following command
>            to check if everything still works: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># service httpd configtest <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The purpose of each of
>            the modules loaded by default will now be addressed one at a time. If none of a module's
>            directives are being used, remove it.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.1">
>                <xccdf:title xml:lang="en">Apache Core Modules</xccdf:title>
>                <xccdf:description xml:lang="en">
>              These modules comprise a basic subset of modules that are
>              likely needed for base Apache functionality; ensure they are not commented out in
>              /etc/httpd/conf/httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule auth_basic_module modules/mod_auth_basic.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authn_default_module modules/mod_authn_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authz_host_module modules/mod_authz_host.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authz_user_module modules/mod_authz_user.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authz_groupfile_module modules/mod_authz_groupfile.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authz_default_module modules/mod_authz_default.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule log_config_module modules/mod_log_config.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule logio_module modules/mod_logio.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule setenvif_module modules/mod_setenvif.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule mime_module modules/mod_mome.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule autoindex_module modules/mod_autoindex.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule negotiation_module modules/mod_negotiation.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule dir_module modules/mod_dir.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule alias_module modules/mod_alias.so</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.2">
>                <xccdf:title xml:lang="en">HTTP Basic Authentication</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The following modules are necessary if this web server will
>              provide content that will be restricted by a password. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Authentication can be performed
>              using local plain text password files (authn file), local DBM password files (authn
>              dbm) or an LDAP directory (see Section 3.16.3.2.5). The only module required by the
>              web server depends on your choice of authentication. Comment out the modules you don't
>              need from the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authn_file_module modules/mod_authn_file.so<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              LoadModule authn_dbm_module modules/mod_authn_dbm.so <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              authn_alias allows for
>              authentication based on aliases. authn_anon allows anonymous authentication similar to
>              that of anonymous ftp sites. authz owner allows authorization based on file ownership.
>              authz dbm allows for authorization based on group membership if the web server is
>              using DBM authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the
>              related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule authn_alias_module modules/mod_authn_alias.so <xhtml:br/>
>              #LoadModule authn_anon_module modules/mod_authn_anon.so <xhtml:br/>
>              #LoadModule authz_owner_module modules/mod_authz_owner.so <xhtml:br/>
>              #LoadModule authz_dbm_module modules/mod_authz_dbm.so</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.3">
>                <xccdf:title xml:lang="en">HTTP Digest Authentication</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module provides encrypted authentication sessions.
>              However, this module is rarely used and considered experimental. Alternate methods of
>              encrypted authentication are recommended, such as SSL (Section 3.16.4.1) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above
>              functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule auth_digest_module modules/mod_auth_digest.so</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.4">
>                <xccdf:title xml:lang="en">mod rewrite</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The mod rewrite module is very powerful and can protect
>              against certain classes of web attacks. However, it is also very complex and has a
>              significant history of vulnerabilities itself. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is
>              unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule rewrite_module modules/mod_rewrite.so</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.5">
>                <xccdf:title xml:lang="en">LDAP Support</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module provides HTTP authentication via an LDAP
>              directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related modules:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule ldap_module modules/mod_ldap.so <xhtml:br/>
>              #LoadModule authnz_ldap_module modules/mod_authnz_ldap.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If LDAP is to be used, SSL encryption (Section 3.16.4.1)
>              should be used as well.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.6">
>                <xccdf:title xml:lang="en">Server Side Includes</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Server Side Includes provide a method of dynamically
>              generating web pages through the insertion of server-side code. However, the
>              technology is also deprecated and introduces significant security concerns. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule include_module modules/mod_include.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If there is a critical need for Server Side
>              Includes, they should be enabled with the option IncludesNoExec to prevent arbitrary
>              code execution. Additionally, user supplied data should be encoded to prevent
>              cross-site scripting vulnerabilities.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.7">
>                <xccdf:title xml:lang="en">MIME Magic</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module provides a second layer of MIME support that in
>              most configurations is likely extraneous. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule mime_magic_module modules/mod_mime_magic.so</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.8">
>                <xccdf:title xml:lang="en">WebDAV (Distributed Authoring and Versioning)</xccdf:title>
>                <xccdf:description xml:lang="en">
>              WebDAV is an extension of the HTTP protocol that provides
>              distributed and collaborative access to web content. Due to a number of security
>              concerns with WebDAV, its use is not recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule dav_module modules/mod_dav.so <xhtml:br/>
>              #LoadModule dav_fs_module modules/mod_dav_fs.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If there is a
>              critical need for WebDAV, extra care should be taken in its configuration. Since DAV
>              access allows remote clients to manipulate server files, any location on the server
>              that is DAV enabled should be protected by encrypted authentication.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.9">
>                <xccdf:title xml:lang="en">Server Activity Status</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module provides real-time access to statistics on the
>              internal operation of the web server. This is an unnecessary information leak and
>              should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule status_module modules/mod_status.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If there is a critical need
>              for this module, ensure that access to the status page is properly restricted to a
>              limited set of hosts in the status handler configuration.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.10">
>                <xccdf:title xml:lang="en">Web Server Configuration Display</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module creates a web page illustrating the configuration
>              of the web server. This is an unnecessary security leak and should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule info_module modules/mod_info.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If there is a critical need for this module, use the
>              Location directive to provide an access control list to restrict access to the
>              information.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.11">
>                <xccdf:title xml:lang="en">URL Correction on Misspelled Entries</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module attempts to find a document match by allowing one
>              misspelling in an otherwise failed request. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule speling_module modules/mod_speling.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This functionality weakens server security by making site enumeration easier.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.12">
>                <xccdf:title xml:lang="en">User-specific directories</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The UserDir directive provides user-specific directory
>              translation, allowing URLs based on associated usernames. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule userdir_module modules/mod_userdir.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If there is a critical need for this module, include the line
>              UserDir disabled root (at a minimum) in the configuration file. Ideally, UserDir
>              should be disabled, and then enabled on a case-by-case basis for specific users that
>              require this functionality. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: A web server's users can be trivially enumerated
>              using this module.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.13">
>                <xccdf:title xml:lang="en">Proxy Support</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module provides proxying support, allowing Apache to
>              forward requests and serve as a gateway for other servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule proxy_module modules/mod_proxy.so <xhtml:br/>
>              #LoadModule proxy_balancer_module modules/mod_proxy_balancer.so<xhtml:br/>
>              #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so <xhtml:br/>
>              #LoadModule proxy_http_module modules/mod_proxy_http.so <xhtml:br/>
>              #LoadModule proxy_connect_module modules/mod_proxy_connect.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If proxy support is needed, load proxy and the
>              appropriate proxy protocol handler module (one of proxy http, proxy ftp, or proxy
>              connect). Additionally, make certain that a server is secure before enabling proxying,
>              as open proxy servers are a security risk. proxy balancer enables load balancing, but
>              requires that mod status be enabled. Since mod status is not recommended, proxy
>              balancer should be avoided as well.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.14">
>                <xccdf:title xml:lang="en">Cache Support</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module allows Apache to cache data, optimizing access to
>              frequently accessed content. However, not only is it an experimental module, but it
>              also introduces potential security flaws into the web server such as the possibility
>              of circumventing Allow and Deny directives. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cache_module modules/mod_cache.so<xhtml:br/>
>              #LoadModule disk_cache_module modules/mod_disk_cache.so <xhtml:br/>
>              #LoadModule file_cache_module modules/mod_file_cache.so <xhtml:br/>
>              #LoadModule mem_cache_module modules/mod_mem_cache.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If caching is required, it should not be enabled for any limited-access content.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.15">
>                <xccdf:title xml:lang="en">CGI Support (and Related Modules)</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This module allows HTML to interact with the CGI web
>              programming language. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the above functionality is unnecessary, comment out the related modules: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#LoadModule cgi_module modules/mod_cgi.so <xhtml:br/>
>              #LoadModule env_module modules/mod_env.so <xhtml:br/>
>              #LoadModule actions_module modules/mod_actions.so <xhtml:br/>
>              #LoadModule suexec_module modules/mod_suexec.so <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              If the web server requires the use of CGI, enable
>              the cgi module. If extended CGI functionality is required, include the appropriate
>              modules. env allows for control of the environment passed to CGI scripts. actions
>              allows CGI events to be triggered when files of a certain type are requested. su exec
>              allows CGI scripts to run as a specified user/group instead of as the server's
>              user/group.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.2.16">
>                <xccdf:title xml:lang="en">Various Optional Components</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The following modules perform very specific tasks, sometimes
>              providing access to just a few additional directives. If this functionality is not
>              required (or if you are not using these directives), comment out the associated
>              module: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>External filtering (response passed through external program prior to client delivery) <xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule ext_filter_module modules/mod_ext_filter.so </xhtml:code></xhtml:li><xhtml:li>User-specified
>                  Cache Control and Expiration <xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule expires_module modules/mod_expires.so</xhtml:code> </xhtml:li><xhtml:li>Compression Output Filter (provides content compression prior to client delivery)<xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule deflate_module modules/mod_deflate.so </xhtml:code></xhtml:li><xhtml:li>HTTP Response/Request Header Customization <xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule headers_module modules/mod_headers.so</xhtml:code> </xhtml:li><xhtml:li>User activity monitoring via cookies <xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule usertrack_module modules/mod_usertrack.so </xhtml:code></xhtml:li><xhtml:li>Dynamically configured mass virtual hosting <xhtml:br/>
>                  <xhtml:br/>
>                  <xhtml:code>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</xhtml:code></xhtml:li></xhtml:ul>
>              </xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.3">
>              <xccdf:title xml:lang="en">Minimize Configuration Files Included</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The Include directive directs Apache to load supplementary
>            configuration files from a provided path. The default configuration loads all files that
>            end in .conf from the /etc/httpd/conf.d directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To restrict excess configuration, the
>            following line should be commented out and replaced with Include directives that only
>            reference required configuration files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml">#Include conf.d/*.conf <xhtml:br/></xhtml:code>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the above change was
>            made, ensure that the SSL encryption remains loaded by explicitly including the
>            corresponding configuration file: (see Section 3.16.4.1 for further details on SSL
>            configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Include conf.d/ssl.conf <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If PHP is necessary, a similar alteration must be
>            made: (see Section 3.16.4.4.1 for further details on PHP configuration) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Include conf.d/php.conf</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.4">
>              <xccdf:title xml:lang="en">Directory Restrictions</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The Directory tags in the web server configuration file allow
>            finer grained access control for a specified directory. All web directories should be
>            configured on a case-by-case basis, allowing access only where needed.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.4.1">
>                <xccdf:title xml:lang="en">Restrict Root Directory</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The Apache root directory should always have the most
>              restrictive configuration enabled.
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;Directory
>              /&gt;
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Options None
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              AllowOverride None
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Order
>              allow,deny
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;/Directory&gt;
>            </xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.4.2">
>                <xccdf:title xml:lang="en">Restrict Web Directory</xccdf:title>
>                <xccdf:description xml:lang="en">
>              The default configuration for the web (/var/www/html)
>              Directory allows directory indexing (Indexes)and the following of symbolic links
>              (FollowSymLinks). Neither of these is recommended.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The
>              /var/www/html directory hierarchy should not be viewable via the web, and symlinks
>              should only be followed if the owner of the symlink also owns the linked
>              file.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Ensure that this policy is adhered to by altering the
>              related section of the configuration:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;Directory
>              "/var/www/html"&gt;
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # ...
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Options SymLinksIfOwnerMatch
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # ...
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;/Directory&gt;
>            </xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.4.3">
>                <xccdf:title xml:lang="en">Restrict Other Critical Directories</xccdf:title>
>                <xccdf:description xml:lang="en">
>              All accessible web directories should be configured with
>              similar restrictive settings. The Options directive should be limited to necessary
>              functionality and the AllowOverride directive should be used only if needed. The Order
>              and Deny access control tags should be used to deny access by default, allowing access
>              only where necessary.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.5">
>              <xccdf:title xml:lang="en">Configure Authentication if Applicable</xccdf:title>
>              <xccdf:description xml:lang="en"><xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Set up a password file. <xhtml:br/>
>                <xhtml:br/>
>                If a password file doesn't yet exist, one must be generated with the following command: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># htpasswd -cs passwdfile user <xhtml:br/></xhtml:code>
>                <xhtml:br/>
>                <xhtml:em>WARNING: This command will overwrite an existing file at this location.</xhtml:em>
>                <xhtml:br/>
>                Once a password file has been generated, subsequent users can be added with the
>                following command: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># htpasswd -s passwdfile user </xhtml:code></xhtml:li><xhtml:li>Optionally, set up a group file (if using group authentication). <xhtml:br/>
>                <xhtml:br/>
>                The group file is a plain text file of the following format
>                (each group is on its own line, followed by a colon and a list of users that belong to
>                that group, separated by spaces): <xhtml:br/>
>                <xhtml:br/>
>                group : user1 user2 <xhtml:br/>
>                group2 : user3 </xhtml:li><xhtml:li>Modify file
>                permissions so that Apache can read the group and passwd files: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:code># chgrp apache passwdfile groupfile <xhtml:br/>
>                # chmod 640 passwdfile groupfile </xhtml:code></xhtml:li><xhtml:li>Turn on authentication for desired directories <xhtml:br/>
>                <xhtml:br/>
>                Add the following options inside the appropriate Directory tag: <xhtml:br/>
>                <xhtml:br/>
>                <xhtml:ul><xhtml:li>For single-user authentication: <xhtml:br/>
>                    &lt;Directory "directory "&gt; <xhtml:br/>
>                    # ... AuthName "Private Data" <xhtml:br/>
>                    AuthType Basic <xhtml:br/>
>                    AuthUserFile passwdfile <xhtml:br/>
>                    require user user <xhtml:br/>
>                    # ...<xhtml:br/>
>                    &lt;/Directory&gt; </xhtml:li><xhtml:li>For multiple-user authentication restricted by groups:<xhtml:br/>
>                    &lt;Directory "directory "&gt; <xhtml:br/>
>                    # ... <xhtml:br/>
>                    AuthName "Private Data" <xhtml:br/>
>                    AuthType Basic<xhtml:br/>
>                    <xhtml:br/>
>                    AuthUserFile passwdfile <xhtml:br/>
>                    AuthGroupFile groupfile <xhtml:br/>
>                    require group group <xhtml:br/>
>                    # ...<xhtml:br/>
>                    &lt;/Directory&gt; </xhtml:li><xhtml:li>For multiple-user authentication restricted by valid user accounts: <xhtml:br/>
>                    <xhtml:br/>
>                    &lt;Directory "directory "&gt; <xhtml:br/>
>                    # ... <xhtml:br/>
>                    AuthName "Private Data" <xhtml:br/>
>                    AuthType Basic <xhtml:br/>
>                    AuthUserFile passwdfile <xhtml:br/>
>                    require valid-user <xhtml:br/>
>                    # ... <xhtml:br/>
>                    &lt;/Directory&gt; </xhtml:li></xhtml:ul>
>                </xhtml:li></xhtml:ol>
>            The AuthName directive specifies a label for the protected content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The AuthType directive
>            specifies the kind of authentication (if using Digest authentication, this line would
>            instead read AuthType Digest) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The AuthUserFile and AuthGroupFile directives point to the
>            password and group files (if using Digest authentication, these directives would instead
>            be AuthDigestFile and AuthDigestGroupFile.)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The require user directive restricts access
>            to a single user. The require group directive restricts access to multiple users in a
>            designated group. The short-hand require valid-user directive restricts access to any
>            user in the passwdfile <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: Make sure the AuthUserFile and AuthGroupFile locations are
>            outside the web server document tree to prevent remote clients from having access to
>            restricted usernames and passwords. This guide recommends /etc/httpd/conf as a location
>            for these files.</xccdf:description>
>              <xccdf:warning xml:lang="en">Basic authentication is handled in plaintext over the network.
>            Therefore, all login attempts are vulnerable to password sniffing. For increased
>            protection against passive monitoring, encrypted authentication over a secure channel
>            such as SSL (Section 3.16.4.1) is recommended. </xccdf:warning>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.3.6">
>              <xccdf:title xml:lang="en">Limit Available Methods</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Web server methods are defined in section 9 of RFC 2616
>            (http://www.ietf.org/rfc/rfc2616.txt). If a web server does not require the
>            implementation of all available methods, they should be disabled. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: GET and POST are
>            the most common methods. A majority of the others are limited to the WebDAV protocol.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;Directory /var/www/html&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            # Only allow specific methods (this command is case-sensitive!) <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;LimitExcept GET POST&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Order allow,deny<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;/LimitExcept&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            # ... <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            &lt;/Directory&gt;</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4">
>            <xccdf:title xml:lang="en">Use Appropriate Modules to Improve Apaches Security'</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Among the modules available for Apache are several whose use may
>          improve the security of the web server installation. This section recommends and discusses
>          the deployment of security-relevant modules.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.1">
>              <xccdf:title xml:lang="en">Deploy mod ssl</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Because HTTP is a plain text protocol, all traffic is
>            susceptible to passive monitoring. If there is a need for confidentiality, SSL should be
>            configured and enabled to encrypt content. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note: mod nss is a FIPS 140-2 certified
>            alternative to mod ssl. The modules share a considerable amount of code and should be
>            nearly identical in functionality. If FIPS 140-2 validation is required, then mod nss
>            should be used. If it provides some feature or its greater compatibility is required,
>            thenmod ssl should be used.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.1.1">
>                <xccdf:title xml:lang="en">Install mod ssl</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Install mod ssl: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># yum install mod ssl</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.1.2">
>                <xccdf:title xml:lang="en">Create an SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              On your CA (if you are using your own) or on another
>              physically secure system, generate a key pair for the web server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
>              # openssl genrsa -des3 -out httpserverkey.pem 2048 <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              When prompted,
>              enter a strong, unique passphrase to protect the web server key pair. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next, generate a Certificate Signing Request (CSR) from the key for the CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key httpserverkey.pem -out httpserver.csr <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Enter the passphrase for the web server key pair
>              and then fill out the fields as completely as possible (or hit return to accept
>              defaults); the Common Name field is especially important. It must match the
>              fullyqualified domain name of your server exactly (e.g. www.example.com) or the
>              certificate will not work. The /etc/pki/tls/openssl.conf file will determine which
>              other fields (e.g. Country Name, Organization Name, etc) must match between the server
>              request and the CA. Leave the challenge password and an optional company name blank.
>              Next, the web server CSR must be signed to create the web server certificate. You can
>              either send the CSR to an established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To sign httpserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in httpserver.csr -out httpservercert.pem<xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              When prompted, enter the CA passphrase to continue and then complete the process. The
>              httpservercert. pem certificate needed to enable SSL on the web server is now in the
>              directory. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Finally, the web server key and certificate file need to be moved to the
>              web server. Use removable media if possible. Place the server key and certificate file
>              in /etc/pki/tls/http/, naming them serverkey.pem and servercert.pem, respectively.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.1.3">
>                <xccdf:title xml:lang="en">Install SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Add or modify the configuration file
>              /etc/httpd/conf.d/ssl.conf to match the following: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # establish new listening port<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Listen 443 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # seed appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLRandomSeed startup file:/dev/urandom 1024<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLRandomSeed connect file:/dev/urandom 1024 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;VirtualHost site-on-certificate.com:443&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Enable SSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Path to server certificate + private key <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLCertificateFile /etc/pki/tls/http/servercert.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLCertificateKeyFile /etc/pki/tls/http/serverkey.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLProtocol All -SSLv2 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Weak ciphers and null authentication should be denied unless absolutely necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # (and even then, such cipher weakening should occur within a Location enclosure)<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLCipherSuite HIGH:MEDIUM:!aNULL:+MD5 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;/VirtualHost&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Ensure that all
>              directories that house SSL content are restricted to SSL access only in
>              /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;Directory /var/www/html/secure&gt; <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # require SSL for access <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLRequireSSL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLOptions +StrictRequire <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # require domain to match certificate domain <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SSLRequire %{HTTP HOST} eq "site-on-certificate.com" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # rather than reply with 403 error, redirect user to appropriate site <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # this is OPTIONAL - uncomment to apply <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # ErrorDocument 403 https://site-on-certificate.com<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              &lt;/Directory&gt;</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.2">
>              <xccdf:title xml:lang="en">Deploy mod security</xccdf:title>
>              <xccdf:description xml:lang="en">
>            mod security provides an application level firewall for Apache.
>            Following the installation of mod security with the base ruleset, specific configuration
>            advice can be found at http://www.modsecurity.org/ to design a policy that best matches
>            the security needs of the web applications.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.2.1">
>                <xccdf:title xml:lang="en">Install mod security</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Install mod security: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # yum install mod_security</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.2.2">
>                <xccdf:title xml:lang="en">Configure mod security Filtering</xccdf:title>
>                <xccdf:description xml:lang="en">
>              mod security supports a significant number of options, far
>              too many to be fully covered in this guide. However, the following list comprises a
>              smaller subset of suggested filters to be added to /etc/httpd/conf/ httpd.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # enable mod_security <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilterEngine On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # enable POST filtering <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilterScanPost On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Make sure that URL encoding is valid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilterCheckURLEncoding On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Accept almost all byte values <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilterForceByteRange 1 255 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Prevent directory traversal <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter "\.\./" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Filter on specific system specific paths <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter /etc/passwd <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter /bin/ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Prevent cross-site scripting <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter "&lt;[[:space:]]* script" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Prevent SQL injection <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter "delete[[:space:]]+from" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter "insert[[:space:]]+into"<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              SecFilter "select.+from"</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.3">
>              <xccdf:title xml:lang="en">Use Denial-of-Service Protection Modules</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Denial-of-service attacks are difficult to detect and prevent
>            while maintaining acceptable access to authorized users. However, there are a number of
>            traffic-shaping modules that attempt to address the problem. Well-known DoS protection
>            modules include: mod_throttle mod_bwshare mod_limitipconn mod_dosevasive It is
>            recommended that denial-of-service prevention be implemented for the web server.
>            However, this guide leaves specific configuration details to the discretion of the
>            reader.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.4">
>              <xccdf:title xml:lang="en">Configure Supplemental Modules Appropriately</xccdf:title>
>              <xccdf:description xml:lang="en">Any required functionality added to the web server via additional modules should be configured appropriately.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.4.4.1">
>                <xccdf:title xml:lang="en">Configure PHP Securely</xccdf:title>
>                <xccdf:description xml:lang="en">
>              PHP is a widely used and often misconfigured server-side
>              scripting language. It should be used with caution, but configured appropriately when
>              needed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Make the following changes to /etc/php.ini: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Do not expose PHP error messages to external users <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              display_errors = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Enable safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              safe_mode = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Only allow access to executables in isolated directory <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              safe_mode_exec_dir = php-required-executables-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Limit external access to PHP environment<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              safe_mode_allowed_env_vars = PHP_ <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Restrict PHP information leakage <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              expose_php = Off<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Log all errors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              log_errors = On <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Do not register globals for input data<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              register_globals = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Minimize allowable PHP post size <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              post_max_size = 1K <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Ensure PHP redirects appropriately <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              cgi.force_redirect = 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Disallow uploading unless necessary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              file_uploads = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Disallow treatment of file requests as fopen calls<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              allow_url_fopen = Off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # Enable SQL safe mode <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              sql.safe_mode = On</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.5">
>            <xccdf:title xml:lang="en">Configure Operating System to Protect Web Server</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The following configuration steps should be taken on the machine
>          which hosts the web server, in order to provide as safe an environment as possible for the
>          web server.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.5.1">
>              <xccdf:title xml:lang="en">Restrict File and Directory Access</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Minimize access to critical Apache files and directories: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chmod 511 /usr/sbin/httpd <xhtml:br/>
>            # chmod 750 /var/log/httpd/ <xhtml:br/>
>            # chmod 750 /etc/httpd/conf/ <xhtml:br/>
>            # chmod 640 /etc/httpd/conf/* <xhtml:br/>
>            # chgrp -R apache /etc/httpd/conf</xhtml:code></xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.5.1.a" operator="equals" type="string">
>                <xccdf:title>Directory permissions on /etc/httpd/conf</xccdf:title>
>                <xccdf:description xml:lang="en">Specify directory permissions on /etc/httpd/conf</xccdf:description>
>                <xccdf:question xml:lang="en">Specify directory permissions of /etc/httpd/conf</xccdf:question>
>                <xccdf:value>111101000</xccdf:value>
>                <xccdf:value selector="750">111101000</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.5.1.b" operator="equals" type="string">
>                <xccdf:title>File permissions on /etc/httpd/conf/*</xccdf:title>
>                <xccdf:description xml:lang="en">Specify file permissions on /etc/httpd/conf/*</xccdf:description>
>                <xccdf:question xml:lang="en">Specify file permissions of /etc/httpd/conf/*</xccdf:question>
>                <xccdf:value>110100000</xccdf:value>
>                <xccdf:value selector="640">110100000</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.5.1.c" operator="equals" type="string">
>                <xccdf:title>File permissions on /usr/sbin/httpd</xccdf:title>
>                <xccdf:description xml:lang="en">Specify file permissions on /usr/sbin/httpd</xccdf:description>
>                <xccdf:question xml:lang="en">Specify file permissions of /etc/sbin/httpd</xccdf:question>
>                <xccdf:value>101001001</xccdf:value>
>                <xccdf:value selector="511">101001001</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.5.1.d" operator="equals" type="string">
>                <xccdf:title>group owner of /etc/httpd/conf/*</xccdf:title>
>                <xccdf:description xml:lang="en">Specify group owner of /etc/httpd/conf/*</xccdf:description>
>                <xccdf:question xml:lang="en">Specify group owner of /etc/httpd/conf/*</xccdf:question>
>                <xccdf:value>apache</xccdf:value>
>                <xccdf:value selector="apache">apache</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.16.5.1.e" operator="equals" type="string">
>                <xccdf:title>File permissions on /var/log/httpd/</xccdf:title>
>                <xccdf:description xml:lang="en">Specify file permissions on /var/log/httpd/</xccdf:description>
>                <xccdf:question xml:lang="en">Specify file permissions of /var/log/httpd/</xccdf:question>
>                <xccdf:value>111101000</xccdf:value>
>                <xccdf:value selector="750">111101000</xccdf:value>
>                <xccdf:match>^[01]+$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.5.1.a" selected="false" weight="10.0">
>                <xccdf:title>Restrict permissions on /etc/httpd/conf</xccdf:title>
>                <xccdf:description>File permissions for /etc/httpd/conf should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4509-6</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20326" value-id="xccdf_cdf_value_var-3.16.5.1.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20326"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.5.1.b" selected="false" weight="10.0">
>                <xccdf:title>Restrict permissions on /etc/httpd/conf/*</xccdf:title>
>                <xccdf:description>File permissions for /etc/httpd/conf/* should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4386-9</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20327" value-id="xccdf_cdf_value_var-3.16.5.1.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20327"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.5.1.c" selected="false" weight="10.0">
>                <xccdf:title>Restrict permissions on /usr/sbin/httpd</xccdf:title>
>                <xccdf:description>File permissions for /usr/sbin/httpd should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4029-5</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20328" value-id="xccdf_cdf_value_var-3.16.5.1.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20328"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.5.1.d" selected="false" weight="10.0">
>                <xccdf:title>Restrict group access to /etc/httpd/conf/*</xccdf:title>
>                <xccdf:description>The /etc/httpd/conf/* files should be owned by the appropriate group.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3581-6</xccdf:ident>
>                <xccdf:fixtext>(1) via chgrp</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20329" value-id="xccdf_cdf_value_var-3.16.5.1.d"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20329"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.16.5.1.e" selected="false" weight="10.0">
>                <xccdf:title>Restrict permissions on /var/log/httpd</xccdf:title>
>                <xccdf:description>File permissions for /var/log/httpd should be set correctly.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4574-0</xccdf:ident>
>                <xccdf:fixtext>(1) via chmod</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20330" value-id="xccdf_cdf_value_var-3.16.5.1.e"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20330"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.5.2">
>              <xccdf:title xml:lang="en">Configure iptables to Allow Access to the Web Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/sysconfig/iptables. Add the following lines, ensuring
>            that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default
>            Iptables configuration does not allow inbound access to the HTTP (80) and HTTPS (443)
>            ports used by the web server. This modification allows that access, while keeping other
>            ports on the server in their default protected state. See Section 2.5.5 for more
>            information about Iptables.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.5.3">
>              <xccdf:title xml:lang="en">Run Apache in a chroot Jail if Possible</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Putting Apache in a chroot jail minimizes the damage done by a
>            potential break-in by isolating the web server to a small section of the filesystem. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            In
>            order to configure Apache to run from a chroot directory, edit the Apache configuration
>            file, /etc/httpd/ conf/httpd.conf, and add the directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SecChrootDir /chroot/apache <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It
>            is also necessary to place all files required by Apache inside the filesystem rooted at
>            /chroot/apache , including Apache's binaries, modules, configuration files, and served
>            web pages. The details of this configuration are beyond the scope of this guide.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.16.6">
>            <xccdf:title xml:lang="en">Additional Resources</xccdf:title>
>            <xccdf:description xml:lang="en">
>          Further resources should be consulted if your web server requires
>          more extensive configuration guidance, especially if particular applications need to be
>          secured. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          In particular, [26] is recommended as a more comprehensive guide to securing Apache.</xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17">
>          <xccdf:title xml:lang="en">IMAP and POP3 Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        Dovecot provides IMAP and POP3 services. It is not installed by
>        default. The project page at http://www.dovecot.org contains more detailed information
>        about Dovecot configuration.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.1">
>            <xccdf:title xml:lang="en">Disable Dovecot if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the system does not need to operate as an IMAP or POP3 server,
>          disable and remove Dovecot if it was installed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig dovecot off <xhtml:br/>
>          # yum erase dovecot</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable Dovecot if Possible</xccdf:title>
>              <xccdf:description>The dovecot service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3847-1</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20331"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall Dovecot if Possible</xccdf:title>
>              <xccdf:description>The dovecot package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4239-0</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20332"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2">
>            <xccdf:title xml:lang="en">Configure Dovecot if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">Dovecot's main configuration file is /etc/dovecot.conf. The settings which appear, commented out, in the file are the defaults.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.1">
>              <xccdf:title xml:lang="en">Support Only the Necessary Protocols</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/dovecot.conf. Add or correct the following lines,
>            replacing PROTOCOL with only the subset of protocols (imap, imaps, pop3, pop3s)
>            required: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            protocols = PROTOCOL <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Dovecot supports the IMAP and POP3 protocols, as well as
>            SSL-protected versions of those protocols. Configure the Dovecot server to support only
>            the protocols needed by your site. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If possible, require SSL protection for all
>            transactions. The SSL protocol variants listen on alternate ports (995 instead of 110
>            for pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. An
>            alternate approach is to listen on the standard port and require the client to use the
>            STARTTLS command before authenticating.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.1.a" selected="false" weight="10.0">
>                <xccdf:title>Dovecot should not support imaps</xccdf:title>
>                <xccdf:description>Dovecot should be configured to not support the imaps protocol</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4384-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20333"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.1.b" selected="false" weight="10.0">
>                <xccdf:title>Dovecot should not support pop3s</xccdf:title>
>                <xccdf:description>Dovecot should be configured to not support the pop3s protocol</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3887-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20334"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.1.c" selected="false" weight="10.0">
>                <xccdf:title>Dovecot should not support pop3</xccdf:title>
>                <xccdf:description>Dovecot should be configured to not support the pop3 protocol</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4530-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20335"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.1.d" selected="false" weight="10.0">
>                <xccdf:title>Dovecot should not support imap</xccdf:title>
>                <xccdf:description>Dovecot should be configured to not support the imap protocol</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4547-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20336"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.2">
>              <xccdf:title xml:lang="en">Enable SSL Support</xccdf:title>
>              <xccdf:description xml:lang="en">
>            SSL should be used to encrypt network traffic between the
>            Dovecot server and its clients. Users must authenticate to the Dovecot server in order
>            to read their mail, and passwords should never be transmitted in clear text. In
>            addition, protecting mail as it is downloaded is a privacy measure, and clients may use
>            SSL certificates to authenticate the server, preventing another system from
>            impersonating the server. See Section 2.5.6 for general SSL information, including the
>            setup of a Certificate Authority (CA).</xccdf:description>
>              <xccdf:reference>Apache 2 with SSL/TLS: Step-by-step, Part 2. Tech. rep.</xccdf:reference>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.2.1">
>                <xccdf:title xml:lang="en">Create an SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Note: The following steps should be performed on your CA
>              system, and not on the Dovecot server itself. If you will have a commercial CA sign
>              certificates, then these steps should be performed on a separate, physically secure
>              system devoted to that purpose. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              On your CA (if you are using your own) or on another
>              physically secure system, generate a key pair for the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># cd /etc/pki/tls/certs <xhtml:br/>
>              # openssl genrsa -out imapserverkey.pem 2048 <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next, generate a
>              certificate signing request (CSR) for the CA to sign, making sure to enter the
>              server's fully-qualified domain name when prompted for the Common Name: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl req -new -key imapserverkey.pem -out imapserver.csr <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Next, the mail server CSR must be
>              signed to create the Dovecot server certificate. You can either send the CSR to an
>              established CA or sign it with your CA. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              To sign imapserver.csr using your CA: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># openssl ca -in imapserver.csr -out imapservercert.pem <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              This step creates a private key,
>              imapserverkey.pem, and a public certificate, imapservercert.pem. The Dovecot server
>              will use these to prove its identity by demonstrating that it has a certificate which
>              has been signed by a CA. POP3 or IMAP clients at your site should only be willing to
>              provide users' credentials to a server they can authenticate.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.2.2">
>                <xccdf:title xml:lang="en">Install the SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Create the PKI directory for POP and IMAP certificates if it
>              does not already exist: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># mkdir /etc/pki/tls/imap <xhtml:br/>
>              # chown root:root /etc/pki/tls/imap<xhtml:br/>
>              # chmod 755 /etc/pki/tls/imap <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Using removable media or some other secure transmission
>              format, install the files generated in the previous step onto the Dovecot server: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>/etc/pki/tls/imap/serverkey.pem: the private key imapserverkey.pem</xhtml:li><xhtml:li>/etc/pki/tls/imap/servercert.pem: the certificate file imapservercert.pem</xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify thepermissions on these files: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/imap/serverkey.pem <xhtml:br/>
>              # chown root:root /etc/pki/tls/imap/servercert.pem <xhtml:br/>
>              # chmod 600 /etc/pki/tls/imap/serverkey.pem<xhtml:br/>
>              # chmod 600 /etc/pki/tls/imap/servercert.pem <xhtml:br/></xhtml:code>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Verify that the CA's public certificate
>              file has been installed as /etc/pki/tls/CA/cacert.pem, and has the correct
>              permissions: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chown root:root /etc/pki/tls/CA/cacert.pem <xhtml:br/>
>              # chmod 644 /etc/pki/tls/CA/cacert.pem</xhtml:code></xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.2.3">
>                <xccdf:title xml:lang="en">Configure Dovecot to Use the SSL Certificate</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Edit /etc/dovecot.conf and add or correct the following lines
>              (ensuring they reference the appropriate files): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ssl_cert_file = /etc/pki/tls/imap/servercert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ssl_key_file = /etc/pki/tls/imap/serverkey.pem<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              ssl_ca_file = /etc/pki/tls/CA/cacert.pem <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              These options tell Dovecot where to find the
>              TLS configuration, allowing clients to make encrypted connections.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.2.4">
>                <xccdf:title xml:lang="en">Disable Plaintext Authentication</xccdf:title>
>                <xccdf:description xml:lang="en">
>              To prevent Dovecot from attempting plaintext authentication
>              of clients, edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              disable_plaintext_auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              The disable_plaintext_auth command disallows
>              login-related commands until an encrypted session has been negotiated using SSL. If
>              client compatibility requires you to allow connections to the pop3 or imap ports,
>              rather than the alternate SSL ports, you should use this command to require STARTTLS
>              before authentication.</xccdf:description>
>                <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.2.4.a" selected="false" weight="10.0">
>                  <xccdf:title>Disable Plaintext Authentication</xccdf:title>
>                  <xccdf:description>Dovecot plaintext authentication of clients should be disabled</xccdf:description>
>                  <xccdf:ident system="http://cce.mitre.org">CCE-4552-6</xccdf:ident>
>                  <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                  <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                    <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20337"/>
>                  </xccdf:check>
>                </xccdf:Rule>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.3">
>              <xccdf:title xml:lang="en">Enable Dovecot Options to Protect Against Code Flaws</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/dovecot.conf and add or correct the following line:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            login_process_per_connection = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            mail_drop_priv_before_exec = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            IMAP and POP3 are
>            remote authenticated protocols, meaning that the server must accept remote connections
>            from anyone, but provide substantial services only to clients who have successfully
>            authenticated. To protect against security problems, Dovecot splits these functions into
>            separate server processes. The imap-login and/or pop3-login processes accept connections
>            from unauthenticated users, and only spawn imap or pop3 processes on successful
>            authentication. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            However, the imap-login and pop3-login processes themselves may contain
>            vulnerabilities. Since each of these processes operates as a daemon, handling multiple
>            sequential client connections from different users, bugs in the code could allow
>            unauthenticated users to steal credential data. If the login_process_per_connection
>            option is enabled, then a separate imap-login or pop3-login process is created for each
>            new connection, protecting against this class of problems. This option has an efficiency
>            cost, but is strongly recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the mail_drop_priv_before_exec option is on, the
>            imap-login or pop3-login process will drop privileges to the user's ID after
>            authentication and before executing the imap or pop3 process itself. Under some very
>            limited circumstances, this could protect against privilege escalation by authenticated
>            users. However, if the mail executable option is used to run code before starting each
>            user's session, it is important to drop privileges to prevent the custom code from
>            running as root.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.3.a" selected="false" weight="10.0">
>                <xccdf:title>Enable Dovecot Option mail_drop_priv_before_exec</xccdf:title>
>                <xccdf:description>The Dovecot option to drop privileges to user before executing mail process should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4371-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20338"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.17.2.3.b" selected="false" weight="10.0">
>                <xccdf:title>Enable Dovecot Option mail_drop_priv_before_exec</xccdf:title>
>                <xccdf:description>The Dovecot option to spawn a new login process per connection should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4410-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/dovecot.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20339"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.17.2.4">
>              <xccdf:title xml:lang="en">Allow IMAP Clients to Access the Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Edit /etc/sysconfig/iptables. Add the following line, ensuring
>            that it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default
>            iptables configuration does not allow inbound access to any services. This modification
>            will allow remote hosts to initiate connections to the IMAP daemon, while keeping all
>            other ports on the server in their default protected state. See Section 2.5.5 for more
>            information about iptables.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18">
>          <xccdf:title xml:lang="en">Samba(SMB) Microsoft Windows File Sharing Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        When properly configured, the Samba service allows Linux machines
>        to provide file and print sharing to Microsoft Windows machines. There are two software
>        packages that provide Samba support. The first, samba-client, provides a series of command
>        line tools that enable a client machine to access Samba shares. The second, simply labeled
>        samba, provides the Samba service. It is this second package that allows a Linux machine to
>        act as an Active Directory server, a domain controller, or as a domain member. Only the
>        samba-client package is installed by default.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.1">
>            <xccdf:title xml:lang="en">Disable Samba if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If the Samba service has been enabled and will not be used, disable it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig smb off <xhtml:br/></xhtml:code>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Even after the Samba server package has been installed, it
>          will remain disabled. Do not enable this service unless it is absolutely necessary to
>          provide Microsoft Windows file and print sharing functionality.</xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.18.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable Samba if Possible</xccdf:title>
>              <xccdf:description>The smb service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4551-8</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20340"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2">
>            <xccdf:title xml:lang="en">Configure Samba if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          All settings for the Samba daemon can be found in
>          /etc/samba/smb.conf. Settings are divided between a [global] configuration section and a
>          series of user created share definition sections meant to describe file or print shares on
>          the system. By default, Samba will operate in user mode and allow client machines to
>          access local home directories and printers. It is recommended that these settings be
>          changed or that additional limitations be set in place.</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.1">
>              <xccdf:title xml:lang="en">Testing the Samba Configuration File</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To test the configuration file for syntax errors, use the
>            testparm command. It will also list all settings currently in place, including defaults
>            that may not appear in the configuration file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># testparm -v</xhtml:code></xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.2">
>              <xccdf:title xml:lang="en">Choosing the Appropriate security Parameter</xccdf:title>
>              <xccdf:description xml:lang="en">
>            There are two kinds of security in Samba, share-level (share)
>            and user-level. User-level security is further subdivided into four separate
>            implementations: user, domain, ads, and server. It is recommended that the share and
>            server security modes not be used. In share security, everyone is given the same
>            password for each share, preventing individual user accountability. server security mode
>            has been superseded by the domain and ads security modes. It may now be considered
>            obsolete. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The security parameter is set in the [global] section of the Samba
>            configuration file. It determines how the server will handle user names and passwords.
>            Some security modes require additional parameters, such as workgroup, realm, or password
>            server names. All security modes will require that each remote user have a matching
>            local account. One workaround to this problem is to use the winbindd daemon. Please
>            consult the official Samba documentation to learn more.</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.2.1">
>                <xccdf:title xml:lang="en">Use user Security for Servers Not in a Domain Context</xccdf:title>
>                <xccdf:description xml:lang="en">
>              This is the default setting with a new Samba installation and
>              the best choice when operating outside of a domain security context. The relevant
>              parameters in /etc/samba/smb.conf will read as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              security = user <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              workgroup = MYGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Set the value of workgroup so that it matches the value of other machines on
>              the network. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              In user mode, authentication requests are handled locally and not passed
>              on to a separate authentication server. This is the desired behavior for standalone
>              servers and domain controllers.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.2.2">
>                <xccdf:title xml:lang="en">Use domain Security for Servers in a Domain Context</xccdf:title>
>                <xccdf:description xml:lang="en">
>              First, change the security parameter to domain.
>              Next, set the workgroup and netbios name parameters (if necessary): <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              security = domain<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              workgroup = WORKGROUP <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              netbios name = NETBIOSNAME <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              domain mode is used for any machine
>              that will act as a domain member server. It lets Samba know that the authentication
>              information it needs can be found on another machine. Primary and Backup Domain
>              Controllers host copies of this information. Samba will try to automatically determine
>              which machine it should authenticate against on a domain network. If this detection
>              fails, it may be necessary to specify the location manually. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Unlike the Microsoft
>              Windows implementation of the SMB standard, a Samba machine can freely change roles
>              within a domain without requiring that the machine be reinstalled (such roles include
>              primary and backup domain controllers, domain member servers, and ordinary domain
>              workstations). However, there are some limitations on how each machine can fulfill
>              each role in a mixed network.</xccdf:description>
>                <xccdf:warning xml:lang="en">When using Samba as a Primary or Backup Domain Controller,
>              use security = user, not security = domain. This tells Samba that the local machine is
>              hosting the authentication backend. </xccdf:warning>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.2.3">
>                <xccdf:title xml:lang="en">Use ads (Active Directory Service) Security For Servers in an ADS
>              Domain</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Context The security mode ads enables a Samba machine to act
>              as an ADS domain member server. Since ADS requires Kerberos, be sure to set the realm
>              parameter appropriately and configure the local copy of Kerberos. If necessary, it is
>              also possible to manually set the password server parameter. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              security = ads <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              realm = MY_REALM <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              password server = your.kerberos.server <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Currently, it is possible to act as an
>              Active Directory domain member server, but not as a domain controller. Be sure to
>              operate in mixed mode. Native mode may not work yet in current versions of Samba.
>              Future support for ADS should be forthcoming in Samba 4. See the Samba project web
>              site at http://www.samba.org for more details.</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.3">
>              <xccdf:title xml:lang="en">Disable Guest Access and Local Login Support</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Do not allow guest users to access local file or printer
>            shares. In global or in each share, set the parameter guest ok to no: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is safe to disable local login support for remote Samba users. Consider changing
>            the add user account script to set remote user shells to /sbin/nologin.</xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.18.2.3.a" selected="false" weight="10.0">
>                <xccdf:title>Disable Guest Access and Local Login Support</xccdf:title>
>                <xccdf:description>Do not allow guest users to access local file or printer shares. In global or in each share, set the parameter guest ok to no.</xccdf:description>
>                <xccdf:fixtext>(1) via /etc/samba/smb.conf in [share] guest ok = no </xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:203403"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.4">
>              <xccdf:title xml:lang="en">Disable Root Access</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Administrators should not use administrator accounts to access
>            Samba file and printer shares. If possible, disable the root user and the wheel
>            administrator group: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            invalid users = root @wheel <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If administrator accounts
>            cannot be disabled, ensure that local machine passwords and Samba service passwords do
>            not match. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Typically, administrator access is required when Samba must create user and
>            machine accounts and shares. Domain member servers and standalone servers may not need
>            administrator access at all. If that is the case, add the invalid users parameter to
>            [global] instead.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.5">
>              <xccdf:title xml:lang="en">Set the Allowed Authentication Negotiation Levels</xccdf:title>
>              <xccdf:description xml:lang="en">By default, Samba will attempt to negotiate with Microsoft
>            Windows machines to set a common communication protocol. Whenever possible, be sure to
>            disable LANMAN authentication, as it is far weaker than the other supported protocols.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            client lanman auth = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Newer versions of Microsoft Windows may require the use
>            of NTLMv2. NTLMv2 is the preferred protocol for authentication, but since older machines
>            do not support it, Samba has disabled it by default. If possible, reenable it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [global]<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            client ntlmv2 auth = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For the sake of backwards compatibility, most modern Windows
>            machines will still allow other machines to communicate with them over weak protocols
>            such as LANMAN. On Samba, by enabling NTLMv2, you are also disabling LANMAN and NTLMv1.
>            If NTLMv1 is required, it is still possible to individually disable LANMAN.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.6">
>              <xccdf:title xml:lang="en">Let Domain Controllers Create Machine Trust Accounts On-the-Fly</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Add or correct an add machine script entry to the [global]
>            section of /etc/samba/smb.conf to allow Samba to dynamically create Machine Trust
>            Accounts: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            add machine script = /usr/sbin/useradd -n -g machines -d /dev/null -s /sbin/nologin %u <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Make sure that the group machines exists. If not, add it with the
>            following command: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            /usr/sbin/groupadd machines <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            When acting as a PDC, it becomes
>            necessary to create and store Machine Trust Accounts for each machine that joins the
>            domain. On a Microsoft Windows PDC, this account is created with the Server Manager
>            tool, but on a Samba PDC, two accounts must be created. The first is the local machine
>            account, and the second is the Samba account. For security purposes, it is recommended
>            to let Samba create these accounts on-the-fly. When Machine Trust Accounts are created
>            manually, there is a small window of opportunity in which a rogue machine could join the
>            domain in place of the new server.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.7">
>              <xccdf:title xml:lang="en">Restrict Access to the [IPC$] Share</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Limit access to the [IPC$] share so that only machines in your
>            network will be able to connect to it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [IPC$] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            hosts deny = 0.0.0.0/0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The [IPC$] share allows users to anonymously fetch a list of shared
>            resources from a server. It is intended to allow users to browse the list of available
>            shares. It also can be used as a point of attack into a system. Disabling it completely
>            may break some functionality, so it is recommended that you merely limit access to it
>            instead.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.8">
>              <xccdf:title xml:lang="en">Restrict File Sharing</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Only users with local user accounts will be able to log in to
>            Samba shares by default. Shares can be limited to particular users or network addresses.
>            Use the hosts allow and hosts deny directives accordingly, and consider setting the
>            valid users directive to a limited subset of users or to a group of users. Separate each
>            address, user, or user group with a space as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [share] hosts allow = 192.168.1. 127.0.0.1 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            valid users = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            It is also possible to limit read and
>            write access to particular users with the read list and write list options, though the
>            permissions set by the system itself will override these settings. Set the read only
>            attribute for each share to ensure that global settings will not accidentally override
>            the individual share settings. Then, as with the valid users directive, separate each
>            user or group of users with a space: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [share] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            read only = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            write list = userone usertwo @usergroup <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Samba service is only required for sharing files and printers
>            with Microsoft Windows workstations, and even then, other options may exist. Do not use
>            the Samba service to share files between Unix or Linux machines.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.9">
>              <xccdf:title xml:lang="en">Require Server SMB Packet Signing</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To make the server use packet signing, add the following to the [global] section of the Samba conï¬guration
>            ï¬le:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            server signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Samba server should only communicate with clients who can support SMB packet signing. Packet signing
>            can prevent man-in-the-middle attacks which modify SMB packets in transit.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The Samba service is only required for sharing ï¬les and printers with Microsoft Windows workstations, and even
>            then, other options may exist. Do not use the Samba service to share ï¬les between Unix or Linux machines.
>          </xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.10">
>              <xccdf:title xml:lang="en">Require Client SMB Packet Signing, if using smbclient</xccdf:title>
>              <xccdf:description xml:lang="en">
>            To require samba clients running smbclient to use packet signing, add the following to the [global] section
>            of the Samba conï¬guration ï¬le:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            client signing = mandatory<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
>            prevent man-in-the-middle attacks which modify SMB packets in transit.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.18.2.10.a" selected="false" weight="10.0">
>                <xccdf:title>Require Client SMB Packet Signing, if using smbclient</xccdf:title>
>                <xccdf:description>
>              Require samba clients running smbclient to use packet signing.  A Samba client should only communicate with servers who can support SMB packet signing. Packet signing can
>              prevent man-in-the-middle attacks which modify SMB packets in transit.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4556-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/samba/smb.conf in [global] client signing = mandatory</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:2034010"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.11">
>              <xccdf:title xml:lang="en">Require Client SMB Packet Signing, if using mount.cifs</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
>            specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
>            used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
>            who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
>            packets in transit.
>          </xccdf:description>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.18.2.11.a" selected="false" weight="10.0">
>                <xccdf:title>Require Client SMB Packet Signing, if using mount.cifs</xccdf:title>
>                <xccdf:description>
>              Require packet signing of clients who mount Samba shares using the mount.cifs program (e.g., those who
>              specify shares in /etc/fstab). To do so, ensure that signing options (either sec=krb5i or sec=ntlmv2i) are
>              used.<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              See the mount.cifs(8) man page for more information. A Samba client should only communicate with servers
>              who can support SMB packet signing. Packet signing can prevent man-in-the-middle attacks which modify SMB
>              packets in transit.</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4556-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/fstab</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:2034011"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.12">
>              <xccdf:title xml:lang="en">Restrict Printer Sharing</xccdf:title>
>              <xccdf:description xml:lang="en">
>            By default, Samba utilizes the CUPS printing service to enable
>            printer sharing with Microsoft Windows workstations. If there are no printers on the
>            local machine, or if printer sharing with Microsoft Windows is not required, disable the
>            printer sharing capability by commenting out the following lines, found in /etc/
>            samba/smb.conf: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [global] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ; load printers = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ; cups options = raw <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            comment = All Printers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            path = /usr/spool/samba <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            browseable = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            guest ok = no <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            writable = no
>            printable = yes <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            There may be other options present, but these are the only options
>            enabled and uncommented by default. Removing the [printers] share should be enough for
>            most users. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the Samba printer sharing capability is needed, consider disabling the
>            Samba network browsing capability or restricting access to a particular set of users or
>            network addresses. Set the valid users parameter to a small subset of users or restrict
>            it to a particular group of users with the shorthand @. Separate each user or group of
>            users with a space. For example, under the [printers] share: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            [printers] <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            valid users = user @printerusers <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The CUPS service is capable of sharing printers with other Unix and
>            Linux machines on the local network without the Samba service. The Samba service is only
>            required when a Microsoft Windows machine needs printer access on a Unix or Linux host.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.2.13">
>              <xccdf:title xml:lang="en">Configure iptables to Allow Access to the Samba Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Determine an appropriate network block, netwk , and network
>            mask, mask , representing the machines on your network which should operate as clients
>            of the Samba server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/sysconfig/iptables. Add the following lines, ensuring
>            that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 137 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 138 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 139 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 445 -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default Iptables configuration does not allow inbound access to the ports used by
>            the Samba service. This modification allows that access, while keeping other ports on
>            the server in their default protected state. Since these ports are frequent targets of
>            network scanning attacks, restricting access to only the network segments which need to
>            access the Samba server is strongly recommended. See Section 2.5.5 for more information
>            about Iptables.</xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.18.3">
>            <xccdf:title xml:lang="en">Avoid the Samba Web Administration Tool (SWAT)</xccdf:title>
>            <xccdf:description xml:lang="en">
>          SWAT is a web based configuration tool provided by the Samba team
>          that enables both local and remote configuration management. It is not installed by
>          default. It is recommended that SWAT not be used, as it requires the use of a Samba
>          administrator account and sends that password in the clear over a network connection. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If
>          SWAT is absolutely required, limit access to the local machine or tunnel SWAT connections
>          through SSL with stunnel.</xccdf:description>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19">
>          <xccdf:title xml:lang="en">Proxy Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        A proxy server is a very desirable target for a potential adversary
>        because much (or all) sensitive data for a given infrastructure may flow through it.
>        Therefore, if one is required, the machine acting as a proxy server should be dedicated to
>        that purpose alone and be stored in a physically secure location. The system's default proxy
>        server software is Squid, and provided in an RPM package of the same name.</xccdf:description>
>          <xccdf:reference>Galarneua, E. Security Considerations with Squid proxy server. Tech. rep., Apr 2003</xccdf:reference>
>          <xccdf:reference>Wessels, D. Squid: The Deï¬nitive Guide. OâReilly and Associates, Jan 2004</xccdf:reference>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.1">
>            <xccdf:title xml:lang="en">Disable Squid if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If Squid was installed and activated, but the system does not
>          need to act as a proxy server, then it should be disabled and removed: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig squid off <xhtml:br/>
>          # yum erase squid</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.1.a" selected="false" severity="low" weight="10.0">
>              <xccdf:title>Disable Squid if Possible</xccdf:title>
>              <xccdf:description>The squid service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4556-7</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20341"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall Squid if Possible</xccdf:title>
>              <xccdf:description>The squid package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4076-6</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20342"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2">
>            <xccdf:title xml:lang="en">Configure Squid if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The Squid configuration file is /etc/squid/squid.conf. The
>          following recommendations can be applied to this file. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          Note: If a particular tag is not
>          present in the configuration file, Squid falls back to the default setting (which is often
>          illustrated by a comment).</xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.1">
>              <xccdf:title xml:lang="en">Listen on Uncommon Port</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default listening port for the Squid service is 3128. As
>            such, it is frequently scanned by adversaries looking for proxy servers. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Select an
>            arbitrary (but uncommon) high port to use as the Squid listening port and make the
>            corresponding change to the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            http_port port <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Run the following command
>            to add a new SELinux port mapping for the service: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># semanage port -a -t http_cache_port_t -p tcp port</xhtml:code></xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.2">
>              <xccdf:title xml:lang="en">Verify Default Secure Settings</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Several security-enhancing settings in the Squid configuration
>            file are enabled by default, but appear as comments in the configuration file (as
>            mentioned in Section 3.19.2). In these instances, the explicit directive is not present,
>            which means it is implicitly enabled. If you are operating with a default configuration
>            file, this section can be ignored. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Ensure that the following security settings are NOT
>            explicitly changed from their default values: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ftp_passive on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ftp_sanitycheck on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            check_hostnames on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            request_header_max_size 20 KB <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            reply_header_max_size 20 KB<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            cache_effective_user squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            cache_effective_group squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ignore_unknown_nameservers on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ftp_passive forces FTP passive connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ftp_sanitycheck performs additional sanity checks on FTP data connections. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            check_hostnames ensures that hostnames meet RFC compliance. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            request_header_max_size and reply_header_max_size place an upper limit on
>            HTTP header length, precautions against denial-of-service and buffer overflow
>            vulnerabilities. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            cache_effective_user and cache_effective_group designate the EUID and
>            EGID of Squid following initialization (it is essential that the EUID/EGID be set to an
>            unprivileged sandbox account). <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            ignore_unknown_nameservers checks to make sure that DNS
>            responses come from the same IP the request was sent to.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.2.d" operator="equals" type="string">
>                <xccdf:title>request_header_max_size</xccdf:title>
>                <xccdf:description xml:lang="en">Place an upper limit on HTTP request header length, precautions against denial-of-service and buffer overflow vulnerabilities.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify an upper limit on HTTP request header length</xccdf:question>
>                <xccdf:value>20kb</xccdf:value>
>                <xccdf:value selector="20kb">20kb</xccdf:value>
>                <xccdf:match>^[\d][KMGkmg]?[Bb]?$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.2.e" operator="equals" type="string">
>                <xccdf:title>reply_header_max_size</xccdf:title>
>                <xccdf:description xml:lang="en">Place an upper limit on HTTP reply header length, precautions against denial-of-service and buffer overflow vulnerabilities.</xccdf:description>
>                <xccdf:question xml:lang="en">Specify an upper limit on HTTP reply header length</xccdf:question>
>                <xccdf:value>20kb</xccdf:value>
>                <xccdf:value selector="20kb">20kb</xccdf:value>
>                <xccdf:match>^[\d][KMGkmg]?[Bb]?$</xccdf:match>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.2.f" operator="equals" type="string">
>                <xccdf:title>cache_effective_user</xccdf:title>
>                <xccdf:description xml:lang="en">Designate the EUID of Squid following initialization (it is essential that the EUID be set to an unprivileged sandbox account)..</xccdf:description>
>                <xccdf:question xml:lang="en">Designate the EUID of Squid following initialization</xccdf:question>
>                <xccdf:value>squid</xccdf:value>
>                <xccdf:value selector="squid">squid</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.2.g" operator="equals" type="string">
>                <xccdf:title>cache_effective_group</xccdf:title>
>                <xccdf:description xml:lang="en">Designate the EGID of Squid following initialization (it is essential that the EGID be set to an unprivileged sandbox account)..</xccdf:description>
>                <xccdf:question xml:lang="en">Designate the EGID of Squid following initialization</xccdf:question>
>                <xccdf:value>squid</xccdf:value>
>                <xccdf:value selector="squid">squid</xccdf:value>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.a" selected="false" weight="10.0">
>                <xccdf:title>Verify ftp_passive setting</xccdf:title>
>                <xccdf:description>The Squid option to force FTP passive connections should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4454-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20343"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.b" selected="false" weight="10.0">
>                <xccdf:title>Verify ftp_sanitycheck setting</xccdf:title>
>                <xccdf:description>The Squid option to perform FTP sanity checks should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4459-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20344"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.c" selected="false" weight="10.0">
>                <xccdf:title>Verify check_hostnames stting</xccdf:title>
>                <xccdf:description>The Squid option to check for RFC compliant hostnames should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4503-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20345"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.d" selected="false" weight="10.0">
>                <xccdf:title>Verify request_header_max_size setting</xccdf:title>
>                <xccdf:description>The Squid max request HTTP header length should be set to an appropriate value</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4353-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20346" value-id="xccdf_cdf_value_var-3.19.2.2.d"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20346"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.e" selected="false" weight="10.0">
>                <xccdf:title>Verify reply_header_max_size setting</xccdf:title>
>                <xccdf:description>The Squid max reply HTTP header length should be set to an appropriate value</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4419-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20347" value-id="xccdf_cdf_value_var-3.19.2.2.e"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20347"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.f" selected="false" weight="10.0">
>                <xccdf:title>Verify cache_effective_user setting</xccdf:title>
>                <xccdf:description>The Squid EUID should be set to an appropriate user</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3692-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20348" value-id="xccdf_cdf_value_var-3.19.2.2.f"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20348"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.g" selected="false" weight="10.0">
>                <xccdf:title>Verify cache_effective_group setting</xccdf:title>
>                <xccdf:description>The Squid GUID should be set to an appropriate group</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4476-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20349" value-id="xccdf_cdf_value_var-3.19.2.2.g"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20349"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.2.h" selected="false" weight="10.0">
>                <xccdf:title>Verify ignore_unknown_nameservers setting</xccdf:title>
>                <xccdf:description>The Squid option to ignore unknown nameservers should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3585-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20350"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.3">
>              <xccdf:title xml:lang="en">Change Default Insecure Settings</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default configuration settings for the following tags are
>            considered to be weak security and NOT recommended. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Add or modify the configuration file to include the following lines: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow_underscore off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            httpd_suppress_version_string on<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            forwarded_for off <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            log_mime_hdrs on <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            allow_underscore enforces RFC 1034 compliance on
>            hostnames by disallowing the use of underscores. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            httpd_suppress_version string prevents
>            Squid from revealing version information in web headers and error pages. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            forwarded_for
>            reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the
>            leakage of internal network configuration details. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            log_mime_hdrs enables logging of HTTP
>            response/request headers.</xccdf:description>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.3.a" operator="equals" type="string">
>                <xccdf:title>allow_underscore</xccdf:title>
>                <xccdf:description xml:lang="en">allow_underscore enforces RFC 1034 compliance on hostnames by disallowing the use of underscores.</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable enforcing RFC 1034 compliance on hostnames</xccdf:question>
>                <xccdf:value>off</xccdf:value>
>                <xccdf:value selector="enabled">on</xccdf:value>
>                <xccdf:value selector="disabled">off</xccdf:value>
>                <xccdf:match>on|off</xccdf:match>
>                <xccdf:choices mustMatch="1">
>                  <xccdf:choice>on</xccdf:choice>
>                  <xccdf:choice>off</xccdf:choice>
>                </xccdf:choices>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.3.b" operator="equals" type="string">
>                <xccdf:title>httpd_suppress_version</xccdf:title>
>                <xccdf:description xml:lang="en">httpd_suppress_version string prevents Squid from revealing version information in web headers and error pages.</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable preventing squid from revealing version information in web headers and error pages</xccdf:question>
>                <xccdf:value>on</xccdf:value>
>                <xccdf:value selector="enabled">on</xccdf:value>
>                <xccdf:value selector="disabled">off</xccdf:value>
>                <xccdf:match>on|off</xccdf:match>
>                <xccdf:choices mustMatch="1">
>                  <xccdf:choice>on</xccdf:choice>
>                  <xccdf:choice>off</xccdf:choice>
>                </xccdf:choices>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.3.c" operator="equals" type="string">
>                <xccdf:title>forwarded_for</xccdf:title>
>                <xccdf:description xml:lang="en">forwarded_for reveals proxy client IP addresses in HTTP headers and should be disabled to prevent the leakage of internal network configuration details. </xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable revealing proxy client IP addresses in HTTP headers</xccdf:question>
>                <xccdf:value>off</xccdf:value>
>                <xccdf:value selector="enabled">on</xccdf:value>
>                <xccdf:value selector="disabled">off</xccdf:value>
>                <xccdf:match>on|off</xccdf:match>
>                <xccdf:choices mustMatch="1">
>                  <xccdf:choice>on</xccdf:choice>
>                  <xccdf:choice>off</xccdf:choice>
>                </xccdf:choices>
>              </xccdf:Value>
>              <xccdf:Value id="xccdf_cdf_value_var-3.19.2.3.d" operator="equals" type="string">
>                <xccdf:title>log_mime_hdrs</xccdf:title>
>                <xccdf:description xml:lang="en">log_mime_hdrs enables logging of HTTP response/request headers.</xccdf:description>
>                <xccdf:question xml:lang="en">Enable/Disable logging of HTTP response/request headers</xccdf:question>
>                <xccdf:value>on</xccdf:value>
>                <xccdf:value selector="enabled">on</xccdf:value>
>                <xccdf:value selector="disabled">off</xccdf:value>
>                <xccdf:match>on|off</xccdf:match>
>                <xccdf:choices mustMatch="1">
>                  <xccdf:choice>on</xccdf:choice>
>                  <xccdf:choice>off</xccdf:choice>
>                </xccdf:choices>
>              </xccdf:Value>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.3.a" selected="false" weight="10.0">
>                <xccdf:title>Check allow_underscore setting</xccdf:title>
>                <xccdf:description>The Squid option to allow underscores in hostnames should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4344-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20351" value-id="xccdf_cdf_value_var-3.19.2.3.a"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20351"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.3.b" selected="false" weight="10.0">
>                <xccdf:title>Check httpd_suppress_version setting</xccdf:title>
>                <xccdf:description>The Squid option to suppress the httpd version string should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4494-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20352" value-id="xccdf_cdf_value_var-3.19.2.3.b"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20352"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.3.c" selected="false" weight="10.0">
>                <xccdf:title>Check forwarded_for setting</xccdf:title>
>                <xccdf:description>The Squid option to show proxy client IP addresses in HTTP headers should be disabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4181-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20353" value-id="xccdf_cdf_value_var-3.19.2.3.c"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20353"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.3.d" selected="false" weight="10.0">
>                <xccdf:title>Check log_mime_hdrs setting</xccdf:title>
>                <xccdf:description>The Squid option to log HTTP MIME headers should be enabled</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4577-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-export export-name="oval:org.open-scap.f14:var:20354" value-id="xccdf_cdf_value_var-3.19.2.3.d"/>
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20354"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.4">
>              <xccdf:title xml:lang="en">Configure Authentication if Applicable</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Note: Authentication cannot be used in the case of transparent
>            proxies due to limitations of the TCP/IP protocol. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Similar to web servers, two of the
>            available options are Basic and Digest authentication. The other options are NTLM and
>            Negotiate authentication. As noted in Section 3.16.3.5, Basic authentication transmits
>            passwords in plain-text and is susceptible to passive monitoring. If network sniffing is
>            a concern, basic authentication should not be used. Negotiate is the newest and most
>            secure protocol. It attempts to use Kerberos authentication and falls back to NTLM if it
>            cannot. It should be noted that Kerberos requires a third-party Key Distribution Center
>            (KDC) to function properly, whereas the other methods of authentication are two-party
>            schemes. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Squid also offers the ability to choose a custom external authenticator.
>            Designating an external authenticator (also known as a 'helper' module) allows Squid to
>            offer pluggable third-party authentication schemes. LDAP is one example of a helper
>            module that exists and is in use today. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            There are comments under the auth_param tag
>            inside /etc/squid/squid.conf that provide extensive detail on how to configure each of
>            these methods. If authentication is necessary, choose a method of authentication and
>            configure appropriately. The recommended minimum configurations illustrated for each
>            method are acceptable. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To force an ACL (as discussed in Section 3.19.2.5) to require
>            authentication, use the following directive: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            acl name-of-ACL proxy_auth REQUIRED <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Note:
>            The keyword REQUIRED can be replaced with a user or list of users to further restrict
>            access to a smaller subset of users.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.5">
>              <xccdf:title xml:lang="en">Access Control Lists (ACL)</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The acl and http access tags are used in combination to allow filtering based on a series of
>            access control lists. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Squid has a list of default ACLs for localhost, SSL ports, and
>            'safe' ports. Following the definition of these ACLs, a series of http access directives
>            establish the following default filtering policy: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>Allow cachemgr access only from localhost </xhtml:li><xhtml:li>Allow access to only ports in the 'safe' access control list</xhtml:li><xhtml:li>Limit CONNECT method to SSL ports only</xhtml:li><xhtml:li>Allow access from localhost</xhtml:li><xhtml:li>Deny all other requests</xhtml:li></xhtml:ul><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The
>            default ACL policies are reasonable from a security standpoint. However, the number of
>            ports listed as 'safe' could be significantly trimmed depending on the needs of your
>            network. Out of the box, ports 21, 70, 80, 210, 280, 443, 488, 591, 777, and 1025
>            through 65535 are all considered safe. Some of these ports are associated with
>            deprecated or rarely used protocols. As such, this list could be trimmed to further
>            tighten filtering. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The following actions should be taken to tighten the ACL policies: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ol xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>There is a filter line in the configuration file that is recommended but commented out.
>                This line should be uncommented or added to prevent access to localhost from the proxy:<xhtml:br/>
>                <xhtml:br/>
>                http access deny to_localhost </xhtml:li><xhtml:li>An access list should be setup for the specific network
>                or networks that the proxy is intended to serve. Only this subset of IP addresses should
>                be allowed access. <xhtml:br/>
>                <xhtml:br/>
>                Add these lines where the following comment appears: <xhtml:br/>
>                <xhtml:br/>
>                # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS <xhtml:br/>
>                acl your-network-acl-name src ip-range <xhtml:br/>
>                http_access allow your-network-acl-name <xhtml:br/>
>                <xhtml:br/>
>                Note: ip-range is of the format xxx.xxx.xxx.xxx/xx</xhtml:li><xhtml:li>Ensure that the final http access line to appear in the document
>                is the following: <xhtml:br/>
>                <xhtml:br/>
>                http_access deny all <xhtml:br/>
>                <xhtml:br/>
>                This guarantees that all traffic not meeting an
>                explicit filtering rule is denied. <xhtml:br/>
>                <xhtml:br/>
>                Further filters should be established to meet the
>                specific needs of a network, explicitly allowing access only where necessary.</xhtml:li><xhtml:li>Consult
>                the chart below. Corresponding acl entries for unused protocols should be commented out
>                and thus denied. </xhtml:li></xhtml:ol><xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:table xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:thead><xhtml:tr><xhtml:td>Port</xhtml:td><xhtml:td>Service</xhtml:td><xhtml:td>Summary</xhtml:td><xhtml:td>Recommendation</xhtml:td></xhtml:tr></xhtml:thead><xhtml:tbody><xhtml:tr><xhtml:td>21</xhtml:td><xhtml:td>ftp</xhtml:td><xhtml:td>File Transfer Protocol(FTP)
>                    is a widely used file transfer protocol. </xhtml:td><xhtml:td>ALLOW</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>70</xhtml:td><xhtml:td>gopher</xhtml:td><xhtml:td>The gopher protocol is a
>                    deprecated search and retrieval protocol that is almost extinct, with as few as 100
>                    gopher servers present worldwide. Support for gopher is disabled in most modern
>                    browsers. </xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>80</xhtml:td><xhtml:td>http</xhtml:td><xhtml:td>A web proxy needs to allow access to HTTP traffic.  </xhtml:td><xhtml:td>ALLOW</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>210</xhtml:td><xhtml:td>wais</xhtml:td><xhtml:td>The Wide Area Information Server port is similar to gopher, serving as a text searching
>                    system to scour indexes on remote machines. Today, it is deprecated and nearly
>                    non-existent on the Internet.  </xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>280</xhtml:td><xhtml:td>http-mgmt</xhtml:td><xhtml:td>No documentation of any kind could be
>                      found on the obscure service that resides on this port. </xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>443</xhtml:td><xhtml:td>https</xhtml:td><xhtml:td>SSL traffic is
>                      likely (and recommended) for any proxy and should be allowed. </xhtml:td><xhtml:td>ALLOW</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>488</xhtml:td><xhtml:td>gss-http</xhtml:td><xhtml:td>No
>                    documentation of any kind could be found on the obscure service that resides on this
>                    port. </xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>591</xhtml:td><xhtml:td>filemaker</xhtml:td><xhtml:td>Filemaker is a database application originally offered by Apple
>                    in the 1980s. Although development continues and it remains in use today, it should be
>                    disabled if your network does not require such traffic. </xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>777</xhtml:td><xhtml:td>multiling http</xhtml:td><xhtml:td>No documentation of any kind could be found on
>                    the obscure service that resides on this port</xhtml:td><xhtml:td>DENY</xhtml:td></xhtml:tr><xhtml:tr><xhtml:td>1025-65535</xhtml:td><xhtml:td>unregistered ports http</xhtml:td><xhtml:td>unregistered
>                    ports Random high ports are used by a variety of applications and should be allowed.</xhtml:td><xhtml:td>ALLOW</xhtml:td></xhtml:tr></xhtml:tbody></xhtml:table></xccdf:description>
>              <xccdf:warning xml:lang="en">Be very careful with the order of access control tags. Access
>            control is handled top-down. The first rule that matches is the only rule adhered to.
>            The last rule on the list defines the default behavior in the case of no rule match. </xccdf:warning>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.a" selected="false" weight="10.0">
>                <xccdf:title>Restrict gss-http traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow gss-http traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4511-2</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20355"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.b" selected="false" weight="10.0">
>                <xccdf:title>Restrict https traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow https traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4529-4</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20356"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.c" selected="false" weight="10.0">
>                <xccdf:title>Restrict wais traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow wais traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-3610-3</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20357"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.d" selected="false" weight="10.0">
>                <xccdf:title>Restrict multiling http traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow multiling http traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4466-9</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20358"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.e" selected="false" weight="10.0">
>                <xccdf:title>Restrict http traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow http traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4607-8</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20359"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.f" selected="false" weight="10.0">
>                <xccdf:title>Restrict ftp traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow ftp traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4255-6</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20360"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.g" selected="false" weight="10.0">
>                <xccdf:title>Restrict gopher traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow gopher traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4127-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20361"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.h" selected="false" weight="10.0">
>                <xccdf:title>Restrict filemaker traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow filemaker traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4519-5</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20362"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.i" selected="false" weight="10.0">
>                <xccdf:title>Restrict proxy access to localhost </xccdf:title>
>                <xccdf:description>Squid proxy access to localhost should be denied</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4413-1</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20363"/>
>                </xccdf:check>
>              </xccdf:Rule>
>              <xccdf:Rule id="xccdf_cdf_rule_rule-3.19.2.5.j" selected="false" weight="10.0">
>                <xccdf:title>Restrict http-mgmt traffic</xccdf:title>
>                <xccdf:description>Squid should be configured to not allow http-mgmt traffic</xccdf:description>
>                <xccdf:ident system="http://cce.mitre.org">CCE-4373-7</xccdf:ident>
>                <xccdf:fixtext>(1) via /etc/squid/squid.conf</xccdf:fixtext>
>                <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                  <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20364"/>
>                </xccdf:check>
>              </xccdf:Rule>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.6">
>              <xccdf:title xml:lang="en">Configure Internet Cache Protocol (ICP) if Necessary</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The ICP protocol is a cache communication protocol that allows
>            multiple Squid servers to communicate. The ICP protocol was designed with no security in
>            mind, relying on user-defined access control lists alone to determine which ICP messages
>            to allow. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If a Squid server is standalone, the ICP port should be disabled by adding or
>            correcting the following line in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            icp_port 0 <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            If the Squid server
>            is meant to speak with peers, strict ACLs should be established to only allow ICP
>            traffic from trusted neighbors. To accomplish this, add or correct the following lines:<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            icp_access allow acl-defining-trusted-neighbors <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            icp_access deny all</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.7">
>              <xccdf:title xml:lang="en">Configure iptables to Allow Access to the Proxy Server</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Determine an appropriate network block, netwk , and network
>            mask, mask , representing the machines on your network which should operate as clients
>            of the proxy server. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Edit /etc/sysconfig/iptables. Add the following line, ensuring that
>            it appears before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            -A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport port -j ACCEPT<xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            For port , use either the default 3128 or the alternate port was selected in Section
>            3.19.2.1. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            The default Iptables configuration does not allow inbound access to the Squid
>            proxy service. This modification allows that access, while keeping other ports on the
>            server in their default protected state. See Section 2.5.5 for more information about
>            Iptables.</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.8">
>              <xccdf:title xml:lang="en">Forward Log Messages to Syslog Daemon</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The default behavior of Squid is to record its log messages in
>            /var/log/squid.log. This behavior can be supplemented so that Squid also sends messages
>            to syslog as well. This is useful for centralizing log data, particularly in instances
>            where multiple Squid servers are present. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            Squid provides a command line argument to
>            enable syslog forwarding. Modify the SQUID OPTS line in /etc/init.d/squid to include the
>            -s option: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            SQUID_OPTS="${SQUID_OPTS:-"-D"} -s"</xccdf:description>
>            </xccdf:Group>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.9">
>              <xccdf:title xml:lang="en">Do Not Run as Root</xccdf:title>
>              <xccdf:description xml:lang="en">
>            Since Squid is loaded by the system's service utility, it
>            starts as root and then changes its effective UID to the UID specified by the cache
>            effective user directive. However, since it was still executed by root, the program
>            maintains a saved UID of root even after changing its effective UID. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            To prevent this
>            undesired behavior, Squid must either be configured to run in a chroot environment or it
>            must be executed by a non-privileged user in non-daemon mode (the service utility must
>            not be used).</xccdf:description>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.9.1">
>                <xccdf:title xml:lang="en">Run Squid in a chroot Jail</xccdf:title>
>                <xccdf:description xml:lang="en">
>              Chrooting Squid can be a very complicated task. Documentation
>              for the process is vague and a great deal of trial and error may be required to
>              determine all the files that need to be transitioned over to the chroot environment.
>              Therefore, this guide recommends instead the method detailed in Section 3.19.2.9.2 to
>              lower privileges. If chrooting Squid is still desired, it can be enabled with the
>              following directive in the configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              chroot chroot-path <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Then, all the
>              necessary files used by Squid must be copied into the chroot-path directory. The
>              specifics of this step cannot be covered in this guide because they are highly
>              dependent on the external programs used in the Squid configuration. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Note: The strace
>              utility is a valuable resource for discovering the files needed for the chroot
>              environment.</xccdf:description>
>              </xccdf:Group>
>              <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.19.2.9.2">
>                <xccdf:title xml:lang="en">Modify Service Entry to Lower Privileges</xccdf:title>
>                <xccdf:description xml:lang="en">T
>              he following modification to /etc/init.d/squid forces the
>              service utility to execute Squid as the squid user instead of the root user: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              # determine the name of the squid binary <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              [ -f /usr/sbin/squid ] &amp;&amp; SQUID="sudo -u squid squid" <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Making this change prevents Squid from writing its pid to
>              /var/run. This pid file is used by service to check to see if the program started
>              successfully. Therefore, a new location must be chosen for this pid file that the
>              squid user has access to, and the corresponding references in /etc/init.d/squid must
>              be altered to point to it. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Make the following modification to the Squid configuration file: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              pid_filename /var/spool/squid/squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Edit the file /etc/init.d/squid by
>              changing all occurrences of /var/run/squid.pid to /var/spool/squid/ squid.pid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              Also modify the following line in /etc/init.d/squid: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              [ $RETVAL -eq 0 ] &amp;&amp; touch /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              and add the following lines immediately after it: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              rm -f /var/lock/subsys/squid <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>              status squid</xccdf:description>
>              </xccdf:Group>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>        <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.20">
>          <xccdf:title xml:lang="en">SNMP Server</xccdf:title>
>          <xccdf:description xml:lang="en">
>        The Simple Network Management Protocol allows administrators to
>        monitor the state of network devices, including computers. Older versions of SNMP were
>        well-known for weak security, such as plaintext transmission of the community string (used
>        for authentication) and also usage of easily-guessable choices for community string.</xccdf:description>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.20.1">
>            <xccdf:title xml:lang="en">Disable SNMP Server if Possible</xccdf:title>
>            <xccdf:description xml:lang="en">
>          The system includes an SNMP daemon that allows for its remote
>          monitoring, though it not installed by default. If it was installed and activated, it is
>          important that the software be disabled and removed. <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          If there is not a mission-critical
>          need for hosts at this site to be remotely monitored by a SNMP tool, then disable and
>          remove SNMP as follows: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:code xmlns:xhtml="http://www.w3.org/1999/xhtml"># chkconfig snmpd off <xhtml:br/>
>          # yum erase net-snmpd</xhtml:code></xccdf:description>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.20.1.a" selected="false" severity="medium" weight="10.0">
>              <xccdf:title>Disable snmpd if Possible</xccdf:title>
>              <xccdf:description>The snmpd service should be disabled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-3765-5</xccdf:ident>
>              <xccdf:fixtext>(1) via chkconfig</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20365"/>
>              </xccdf:check>
>            </xccdf:Rule>
>            <xccdf:Rule id="xccdf_cdf_rule_rule-3.20.1.b" selected="false" weight="10.0">
>              <xccdf:title>Uninstall net-snmp if Possible</xccdf:title>
>              <xccdf:description>The net-snmp package should be uninstalled.</xccdf:description>
>              <xccdf:ident system="http://cce.mitre.org">CCE-4404-0</xccdf:ident>
>              <xccdf:fixtext>(1) via yum</xccdf:fixtext>
>              <xccdf:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
>                <xccdf:check-content-ref href="scap-fedora14-oval.xml" name="oval:org.open-scap.f14:def:20366"/>
>              </xccdf:check>
>            </xccdf:Rule>
>          </xccdf:Group>
>          <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.20.2">
>            <xccdf:title xml:lang="en">Configure SNMP Server if Necessary</xccdf:title>
>            <xccdf:description xml:lang="en">
>          If it is necessary to run the snmpd agent on the system, some
>          best practices should be followed to minimize the security risk from the installation. The
>          multiple security models implemented by SNMP cannot be fully covered here so only the
>          following general configuration advice can be offered: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>          <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>use only SNMP version 3 security
>              models and enable the use of authentication and encryption for those </xhtml:li><xhtml:li>write access to the
>              MIB (Management Information Base) should be allowed only if necessary </xhtml:li><xhtml:li>all access to the
>              MIB should be restricted following a principle of least privilege </xhtml:li><xhtml:li>network access should
>              be limited to the maximum extent possible including restricting to expected network
>              addresses both in the configuration files and in the system firewall rules </xhtml:li><xhtml:li>ensure SNMP
>              agents send traps only to, and accept SNMP queries only from, authorized management
>              stations </xhtml:li><xhtml:li>ensure that permissions on the snmpd.conf configuration file (by default, in
>              /etc/snmp) are 640 or more restrictive </xhtml:li><xhtml:li>ensure that any MIB files' permissions are also
>              640 or more restrictive</xhtml:li></xhtml:ul></xccdf:description>
>            <xccdf:Group hidden="false" id="xccdf_cdf_group_group-3.20.2.1">
>              <xccdf:title xml:lang="en">Further Resources</xccdf:title>
>              <xccdf:description xml:lang="en">
>            The following resources provide more detailed information about the SNMP software: <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:br xmlns:xhtml="http://www.w3.org/1999/xhtml"/>
>            <xhtml:ul xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:li>The CERT SNMP Vulnerabilities FAQ at http://www.cert.org/tech
>                tips/snmp faq.html </xhtml:li><xhtml:li>The Net-SNMP project web page at http://net-snmp.sourceforge.net </xhtml:li><xhtml:li>The snmp config(5) man page </xhtml:li><xhtml:li>the snmpd.conf(5) man page</xhtml:li></xhtml:ul>
>            </xccdf:description>
>            </xccdf:Group>
>          </xccdf:Group>
>        </xccdf:Group>
>      </xccdf:Group>
>    </xccdf:Benchmark>
>  </ds:component>
>  <ds:component id="scap_org.open-scap_comp_scap-fedora14-oval.xml" timestamp="2012-07-20T12:22:58">
>    <oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
>      <generator>
>        <oval:product_name>vim, emacs</oval:product_name>
>        <oval:schema_version>5.5</oval:schema_version>
>        <oval:timestamp>2010-08-30T12:00:00-04:00</oval:timestamp>
>      </generator>
>      <definitions>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20000" version="1">
>          <metadata>
>            <title>Ensure that /tmp has its own partition or logical volume</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The /tmp directory is a world-writable directory used for temporary ï¬le storage. Verify that it has its own partition or logical volume.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check in /etc/fstab for a /tmp mount point" test_ref="oval:org.open-scap.f14:tst:20000"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20001" version="1">
>          <metadata>
>            <title>Ensure that /tmp is of adequate size</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Because software may need to use /tmp to temporarily store large ï¬les, ensure that it is of adequate size.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20002" version="1">
>          <metadata>
>            <title>Ensure that /var has its own partition or logical volume</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The /var directory is used by daemons and other system 
>                              services to store frequently-changing data. It is not uncommon for the /var directory 
>                              to contain world-writable directories, installed by other software packages.
>                              Ensure that /var has its own partition or logical volume.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check in /etc/fstab for a /var mount point" test_ref="oval:org.open-scap.f14:tst:20002"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20003" version="1">
>          <metadata>
>            <title>Ensure that /var is of adequate size</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Because the yum package manager and other software uses /var to temporarily store 
>                              large ï¬les, ensure that it is of adequate size. For a modern, general-purpose system, 
>                              10GB should be adequate.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20004" version="1">
>          <metadata>
>            <title>Ensure that /var/log has its own partition or logical volum</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>System logs are stored in the /var/log directory. Ensure that it has its own partition or logical volume.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check in /etc/fstab for a /var/log mount point" test_ref="oval:org.open-scap.f14:tst:20004"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20005" version="1">
>          <metadata>
>            <title>Ensure that /var/log/audit has its own partition or logical volume</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit logs are stored in the /var/log/audit directory. 
>                              Ensure that it has its own partition or logical volume.  Make absolutely certain 
>                              that it is large enough to store all audit logs that will be created by the auditing
>                              daemon.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check in /etc/fstab for a /var/log/audit mount point" test_ref="oval:org.open-scap.f14:tst:20005"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20006" version="1">
>          <metadata>
>            <title>Ensure that /home has its own partition or logical volume</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>If user home directories will be stored locally, create a separate 
>                              partition for /home. If /home will be mounted from another system such as an NFS server, then 
>                              creating a separate partition is not necessary at this time, and the mountpoint can 
>                              instead be conï¬gured later.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check in /etc/fstab for a /home mount point" test_ref="oval:org.open-scap.f14:tst:20006"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200065" version="1">
>          <metadata>
>            <title>Ensure that GPG Key for Fedora is installed</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The GPG key should be installed.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check gpg signature" test_ref="oval:org.open-scap.f14:tst:200065"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20008" version="1">
>          <metadata>
>            <title>yum-updatesd service should be disabled</title>
>            <reference ref_id="CCE-4218-4" source="CCE"/>
>            <description>The yum-updatesd service should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check that yum-updatesd service is disabled" test_ref="oval:org.open-scap.f14:tst:20008"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20009" version="1">
>          <metadata>
>            <title>Automatic Update Retrieval should be scheduled with Cron</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Place the yum.cron script somewhere in /etc/cron.*/</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for existence of yum.cron" test_ref="oval:org.open-scap.f14:tst:20009"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20010" version="1">
>          <metadata>
>            <title>Ensure gpgcheck is Globally Activated</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The gpgcheck option should be used to ensure that checking of an RPM packageâs signature always occurs prior
>                              to its installation./</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of gpgcheck in /etc/yum.conf" test_ref="oval:org.open-scap.f14:tst:20010"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20011" version="1">
>          <metadata>
>            <title>Ensure Package Signature Checking is Not Disabled For Any Repos</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
>                              appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of gpgcheck=0 in /etc/yum.repos.d/*" negate="true" test_ref="oval:org.open-scap.f14:tst:20011"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20012" version="1">
>          <metadata>
>            <title>Ensure Repodata Signature Checking is Globally Activated</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The repo_gpgcheck option should be used to ensure that checking of a signature on repodata is performed prior
>                              to using it.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of repo_gpgcheck in /etc/yum.conf" test_ref="oval:org.open-scap.f14:tst:20012"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20013" version="1">
>          <metadata>
>            <title>Ensure Repodata Signature Checking is Not Disabled For Any Repos</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>To ensure that signature checking is not disabled for any repos, ensure that the following line DOES NOT
>                              appear in any repo conï¬guration ï¬les in /etc/yum.repos.d or elsewhere:</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of repo_gpgcheck=0 in /etc/yum.repos.d/*" negate="true" test_ref="oval:org.open-scap.f14:tst:20013"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20014" version="1">
>          <metadata>
>            <title>Install AIDE</title>
>            <reference ref_id="CCE-4209-3" source="CCE"/>
>            <description>The AIDE package should be installed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20014"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20015" version="1">
>          <metadata>
>            <title>Run AIDE periodically</title>
>            <reference ref_id="CCE-4209-3" source="CCE"/>
>            <description>&gt;Setup cron to run AIDE periodically using cron.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200155" version="1">
>          <metadata>
>            <title>Verify Package Integrity Using RPM</title>
>            <reference ref_id="CCE-4209-3" source="CCE"/>
>            <description>&gt;Verify the integrity of installed packages by comparing the installed ï¬les with 
>                              information about the ï¬les taken from the package metadata stored in the RPM
>                              database.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20016" version="1">
>          <metadata>
>            <title>Add nodev Option to Non-Root Local Partitions</title>
>            <reference ref_id="CCE-4249-9" source="CCE"/>
>            <description>The nodev option should be enabled for all non-root partitions.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check options for nodev in /etc/fstab for all non-root partitions" test_ref="oval:org.open-scap.f14:tst:20016"/>
>            <criterion comment="Check options for nodev in /etc/mtab for all non-root partitions" test_ref="oval:org.open-scap.f14:tst:200162"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20017" version="1">
>          <metadata>
>            <title>Add nodev Option to Removable Media Partitions</title>
>            <reference ref_id="CCE-3522-0" source="CCE"/>
>            <description>The nodev option should be enabled for all removable media.</description>
>          </metadata>
>          <criteria>
>            
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20018" version="1">
>          <metadata>
>            <title>Add noexec Option to Removable Media Partitions</title>
>            <reference ref_id="CCE-4275-4" source="CCE"/>
>            <description>The noexec option should be enabled for all removable media.</description>
>          </metadata>
>          <criteria>
>            
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20019" version="1">
>          <metadata>
>            <title>Add nosuid Option to Removable Media Partitions</title>
>            <reference ref_id="CCE-4042-8" source="CCE"/>
>            <description>The nosuid option should be enabled for all removable media.</description>
>          </metadata>
>          <criteria>
>            
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20020" version="1">
>          <metadata>
>            <title>Restrict Console Device Access</title>
>            <reference ref_id="CCE-3685-5" source="CCE"/>
>            <description>Console device ownership should be restricted to root-only as appropriate.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check file /etc/security/console.perms.d/50-default.perms for &lt;console&gt; or &lt;xconsole&gt;" test_ref="oval:org.open-scap.f14:tst:20020"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20021" version="1">
>          <metadata>
>            <title>Disable Modprobe Loading of USB Storage Driver</title>
>            <reference ref_id="CCE-4187-1" source="CCE"/>
>            <description>The USB device support module should not be loaded</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check the usb storage support" test_ref="oval:org.open-scap.f14:tst:20021"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20022" version="1">
>          <metadata>
>            <title>Remove USB Storage Driver</title>
>            <reference ref_id="CCE-4006-3" source="CCE"/>
>            <description>The USB device support module should not be installed.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check if The USB device support module is not installed" test_ref="oval:org.open-scap.f14:tst:20022"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20023" version="1">
>          <metadata>
>            <title>Disable Kernel Support for USB via Bootloader Configuration</title>
>            <reference ref_id="CCE-4173-1" source="CCE"/>
>            <description>USB kernel support should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20023"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20024" version="1">
>          <metadata>
>            <title>Disable Booting from USB Devices in the BIOS</title>
>            <reference ref_id="CCE-3944-6" source="CCE"/>
>            <description>The ability to boot from USB devices should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20025" version="1">
>          <metadata>
>            <title>Disable the Automounter if Possible</title>
>            <reference ref_id="CCE-4072-5" source="CCE"/>
>            <description>The autofs service is disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20025"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20026" version="1">
>          <metadata>
>            <title>Disable GNOME Automounting if Possible</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>The GNOME automounter (gnome-volume-manager) should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="XMLFile test" test_ref="oval:org.open-scap.f14:tst:20026"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20027" version="1">
>          <metadata>
>            <title>Disable Mounting of cramfs</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for cramfs" test_ref="oval:org.open-scap.f14:tst:20027"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20028" version="1">
>          <metadata>
>            <title>Disable Mounting of freevxfs</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for freevxfs" test_ref="oval:org.open-scap.f14:tst:20028"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20029" version="1">
>          <metadata>
>            <title>Disable Mounting of jffs2</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for jffs2" test_ref="oval:org.open-scap.f14:tst:20029"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20030" version="1">
>          <metadata>
>            <title>Disable Mounting of hfs</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for hfs" test_ref="oval:org.open-scap.f14:tst:20030"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20031" version="1">
>          <metadata>
>            <title>Disable Mounting of hfsplus</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for hfsplus" test_ref="oval:org.open-scap.f14:tst:20031"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20032" version="1">
>          <metadata>
>            <title>Disable Mounting of squashfs</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for squashfs" test_ref="oval:org.open-scap.f14:tst:20032"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20033" version="1">
>          <metadata>
>            <title>Disable Mounting of udf</title>
>            <reference ref_id="CCE-4231-7" source="CCE"/>
>            <description>prevents usage of this uncommon ï¬lesystems.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for udf" test_ref="oval:org.open-scap.f14:tst:20033"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20034" version="1">
>          <metadata>
>            <title>Verify user who owns 'shadow' file</title>
>            <reference ref_id="CCE-3918-0" source="CCE"/>
>            <description>The /etc/shadow file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check file ownership of /etc/shadow" test_ref="oval:org.open-scap.f14:tst:20034"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20035" version="1">
>          <metadata>
>            <title>Verify group who owns 'shadow' file</title>
>            <reference ref_id="CCE-3988-3" source="CCE"/>
>            <description>The /etc/shadow file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20035"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20036" version="1">
>          <metadata>
>            <title>Verify user who owns 'group' file</title>
>            <reference ref_id="CCE-3276-3" source="CCE"/>
>            <description>The /etc/group file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20036"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20037" version="1">
>          <metadata>
>            <title>Verify group who owns 'group' file</title>
>            <reference ref_id="CCE-3883-6" source="CCE"/>
>            <description>The /etc/group file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20037"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20038" version="1">
>          <metadata>
>            <title>Verify user who owns 'gshadow' file</title>
>            <reference ref_id="CCE-4210-1" source="CCE"/>
>            <description>The /etc/gshadow file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20038"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20039" version="1">
>          <metadata>
>            <title>Verify group who owns 'gshadow' file</title>
>            <reference ref_id="CCE-4064-2" source="CCE"/>
>            <description>The /etc/gshadow file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20039"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20040" version="1">
>          <metadata>
>            <title>Verify user who owns 'passwd' file</title>
>            <reference ref_id="CCE-3958-6" source="CCE"/>
>            <description>The /etc/passwd file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20040"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20041" version="1">
>          <metadata>
>            <title>Verify group who owns 'passwd' file</title>
>            <reference ref_id="CCE-3495-9" source="CCE"/>
>            <description>The /etc/passwd file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20041"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20042" version="1">
>          <metadata>
>            <title>Verify permissions on 'shadow' file</title>
>            <reference ref_id="CCE-4130-1" source="CCE"/>
>            <description>File permissions for /etc/shadow should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20042"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20043" version="1">
>          <metadata>
>            <title>Verify permissions on 'group' file</title>
>            <reference ref_id="CCE-3967-7" source="CCE"/>
>            <description>File permissions for /etc/group should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20043"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20044" version="1">
>          <metadata>
>            <title>Verify permissions on 'gshadow' file</title>
>            <reference ref_id="CCE-3932-1" source="CCE"/>
>            <description>File permissions for /etc/gshadow should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20044"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20045" version="1">
>          <metadata>
>            <title>Verify permissions on 'passwd' file</title>
>            <reference ref_id="CCE-3566-7" source="CCE"/>
>            <description>File permissions for /etc/passwd should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20045"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20046" version="1">
>          <metadata>
>            <title>Verify that All World-Writable Directories Have Sticky Bits Set</title>
>            <reference ref_id="CCE-3399-3" source="CCE"/>
>            <description>The sticky bit should be set for all world-writable directories.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check all directories and make sure they are either not world writable or if they are they have the sticky bit set" test_ref="oval:org.open-scap.f14:tst:20046"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20047" version="1">
>          <metadata>
>            <title>Find Unauthorized World-Writable Files</title>
>            <reference ref_id="CCE-3795-2" source="CCE"/>
>            <description>The world-write permission should be disabled for all files.</description>
>          </metadata>
>          <criteria>
>            
>            <criterion comment="Check all files and make sure they are not world writable" negate="true" test_ref="oval:org.open-scap.f14:tst:20047"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20048" version="1">
>          <metadata>
>            <title>Find Unauthorized SGID System Executables</title>
>            <reference ref_id="CCE-4178-0" source="CCE"/>
>            <description>The sgid bit should be not set for all executable files.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check that there are no unexpected files with sgid bit set" test_ref="oval:org.open-scap.f14:tst:20048"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20049" version="1">
>          <metadata>
>            <title>Find Unauthorized SUID System Executables</title>
>            <reference ref_id="CCE-3324-1" source="CCE"/>
>            <description>The suid bit should be not set for all files.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check that there are no unexpected files with suid bit set" test_ref="oval:org.open-scap.f14:tst:20049"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20050" version="1">
>          <metadata>
>            <title>Find files unowned by a user</title>
>            <reference ref_id="CCE-4223-4" source="CCE"/>
>            <description>All files should be owned by a user</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check all files and make sure they are owned by a user" test_ref="oval:org.open-scap.f14:tst:20050"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20051" version="1">
>          <metadata>
>            <title>Find files unowned by a group</title>
>            <reference ref_id="CCE-3573-3" source="CCE"/>
>            <description>All files should be owned by a group</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check all files and make sure they are owned by a group" test_ref="oval:org.open-scap.f14:tst:20051"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20052" version="1">
>          <metadata>
>            <title>Find world writable directories not owned by a system account</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>All world writable directories should be owned by a system user</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check all directories are not world writable or owned by a user with uid less than 500" test_ref="oval:org.open-scap.f14:tst:20052"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20053" version="1">
>          <metadata>
>            <title>Set Daemon umask</title>
>            <reference ref_id="CCE-4220-0" source="CCE"/>
>            <description>The daemon umask should be set as appropriate</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20053"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20055" version="1">
>          <metadata>
>            <title>Disable Core Dumps</title>
>            <reference ref_id="CCE-4225-9" source="CCE"/>
>            <description>Core dumps for all users should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Are core dumps disabled" test_ref="oval:org.open-scap.f14:tst:20055"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20056" version="1">
>          <metadata>
>            <title>Disable Core Dumps for setuid programs</title>
>            <reference ref_id="CCE-4247-3" source="CCE"/>
>            <description>Core dumps for setuid programs should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Are core dumps for setuid programs disabled?" test_ref="oval:org.open-scap.f14:tst:20056"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20057" version="1">
>          <metadata>
>            <title>Enable ExecShield</title>
>            <reference ref_id="CCE-4168-1" source="CCE"/>
>            <description>ExecShield should be enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Is execshield enabled" test_ref="oval:org.open-scap.f14:tst:20057"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20058" version="1">
>          <metadata>
>            <title>Enable ExecShield randomized placement of virtual memory regions</title>
>            <reference ref_id="CCE-4146-7" source="CCE"/>
>            <description>ExecShield randomized placement of virtual memory regions should be enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check ExecShield randomized placement of virtual memory regions" test_ref="oval:org.open-scap.f14:tst:20058"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20060" version="1">
>          <metadata>
>            <title>Enable XD/NX processor support in the BIOS</title>
>            <reference ref_id="CCE-4177-2" source="CCE"/>
>            <description>The XD/NX processor feature should be enabled in the BIOS</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:20060"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20061" version="1">
>          <metadata>
>            <title>Restrict Root Logins to System Console</title>
>            <reference ref_id="CCE-3820-8" source="CCE"/>
>            <description>Logins through the specified virtual console interface should be enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20061"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20062" version="1">
>          <metadata>
>            <title>Restrict Root Logins to System Console</title>
>            <reference ref_id="CCE-3485-0" source="CCE"/>
>            <description>Logins through the specified virtual console device should be enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20062"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20063" version="1">
>          <metadata>
>            <title>Restrict Root Logins to System Console</title>
>            <reference ref_id="CCE-4111-1" source="CCE"/>
>            <description>Logins through the primary console device should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20063"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20064" version="1">
>          <metadata>
>            <title>Restrict Root Logins to System Console</title>
>            <reference ref_id="CCE-4256-4" source="CCE"/>
>            <description>Login prompts on serial ports should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20064"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20065" version="1">
>          <metadata>
>            <title>Limit su Access to the wheel group</title>
>            <description>The wheel group should exist</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Does wheel group exist" test_ref="oval:org.open-scap.f14:tst:20065"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20066" version="1">
>          <metadata>
>            <title>Limit command Access to the Root Account</title>
>            <description>Command access to the root account should be restricted to the wheel group.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20066"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20067" version="1">
>          <metadata>
>            <title>Configure sudo to Improve Auditing of Root Access</title>
>            <reference ref_id="CCE-4044-4" source="CCE"/>
>            <description>Sudo privileges should be granted to the wheel group</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20067"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20068" version="1">
>          <metadata>
>            <title>Block Shell and Login Access for Non-Root System Accounts</title>
>            <reference ref_id="CCE-3987-5" source="CCE"/>
>            <description>Login access to non-root system accounts should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check /etc/passwd for /sbin/nologin on non root system accounts" negate="true" test_ref="oval:org.open-scap.f14:tst:20068"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20069" version="1">
>          <metadata>
>            <title>Verify that No Accounts Have Empty Password Fields</title>
>            <reference ref_id="CCE-4238-2" source="CCE"/>
>            <description>Login access to accounts without passwords should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20069"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200695" version="1">
>          <metadata>
>            <title>Verify that All Account Password Hashes are Shadowed</title>
>            <reference ref_id="CCE-4238-2" source="CCE"/>
>            <description>Check that passwords are shadowed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:200695"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20070" version="1">
>          <metadata>
>            <title>Verify that No Non-Root Accounts Have UID 0</title>
>            <reference ref_id="CCE-4009-7" source="CCE"/>
>            <description>Anonymous root logins are disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20070"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20071" version="1">
>          <metadata>
>            <title>Set Password Expiration Parameters</title>
>            <reference ref_id="CCE-4154-1" source="CCE"/>
>            <description>The password minimum length should be set appropriately</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20071"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20072" version="1">
>          <metadata>
>            <title>Set Password Expiration Parameters</title>
>            <reference ref_id="CCE-4180-6" source="CCE"/>
>            <description>The "minimum password age" policy should meet minimum requirements. </description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20072"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20073" version="1">
>          <metadata>
>            <title>Set Password Expiration Parameters</title>
>            <reference ref_id="CCE-4092-3" source="CCE"/>
>            <description>The "maximum password age" policy should meet minimum requirements. </description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20073"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20074" version="1">
>          <metadata>
>            <title>Set Password Expiration Parameters</title>
>            <reference ref_id="CCE-4097-2" source="CCE"/>
>            <description>The password warn age should be set appropriately</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20074"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20075" version="1">
>          <metadata>
>            <title>Remove Legacy + Entries from Password Files</title>
>            <description>NIS file inclusions should be set appropriately in the /etc/shadow file</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20075"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20076" version="1">
>          <metadata>
>            <title>Remove Legacy + Entries from Password Files</title>
>            <description>NIS file inclusions should be set appropriately in the /etc/group file</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20076"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20077" version="1">
>          <metadata>
>            <title>Remove Legacy + Entries from Password Files</title>
>            <reference ref_id="CCE-4114-5" source="CCE"/>
>            <description>NIS file inclusions should be set appropriately in the /etc/passwd file</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20077"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20078" version="1">
>          <metadata>
>            <title>Set Password Quality Requirements</title>
>            <reference ref_id="CCE-3762-2" source="CCE"/>
>            <description>The password strength should meet minimum requirements using pam_cracklib</description>
>          </metadata>
>          <criteria comment="Conditions for retry, minlen, dcredit, ucredit, ocredit, lcredit and difok are satisfied" operator="AND">
>            <criterion comment="Test retry" test_ref="oval:org.open-scap.f14:tst:200781"/>
>            <criterion comment="Test minlen" test_ref="oval:org.open-scap.f14:tst:200782"/>
>            <criterion comment="Test dcredit" test_ref="oval:org.open-scap.f14:tst:200783"/>
>            <criterion comment="Test ucredit" test_ref="oval:org.open-scap.f14:tst:200784"/>
>            <criterion comment="Test ocredit" test_ref="oval:org.open-scap.f14:tst:200785"/>
>            <criterion comment="Test lcredit" test_ref="oval:org.open-scap.f14:tst:200786"/>
>            <criterion comment="Test difok" test_ref="oval:org.open-scap.f14:tst:200787"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20079" version="1">
>          <metadata>
>            <title>Set Password Quality Requirements</title>
>            <reference ref_id="CCE-3762-2" source="CCE"/>
>            <description>The password strength should meet minimum requirements using pam_passwdqc</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:20079"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20080" version="1">
>          <metadata>
>            <title>Set Lockouts for Failed Password Attempts</title>
>            <reference ref_id="CCE-3410-8" source="CCE"/>
>            <description>The "account lockout threshold" policy should meet minimum requirements.</description>
>          </metadata>
>          <criteria>
>            <criteria comment="check that pam_tally2 authorization module is configured correctly" operator="OR">
>              <criteria comment="unlock_time is not present">
>                <criterion comment="check unlock_time is 0" test_ref="oval:org.open-scap.f14:tst:200800"/>
>                <criteria comment="check that pam_tally2 authorization module is configured correctly" operator="OR">
>                  <criterion comment="check system-auth pam_tally2 excluding unlock_time" test_ref="oval:org.open-scap.f14:tst:2008011"/>
>                  <criterion comment="check system-auth pam_tally2 excluding unlock_time" test_ref="oval:org.open-scap.f14:tst:2008012"/>
>                </criteria>
>              </criteria>
>              <criteria comment="unlock_time is present">
>                <criterion comment="check unlock_time is not 0 (by checking for zero and negating)" negate="true" test_ref="oval:org.open-scap.f14:tst:200800"/>
>                <criteria comment="check that pam_tally2 authorization module is configured correctly" operator="OR">
>                  <criterion comment="check system-auth pam_tally2 including unlock_time" test_ref="oval:org.open-scap.f14:tst:2008011"/>
>                  <criterion comment="check system-auth pam_tally2 including unlock_time" test_ref="oval:org.open-scap.f14:tst:2008012"/>
>                  <criterion comment="check system-auth pam_tally2 including unlock_time" test_ref="oval:org.open-scap.f14:tst:2008013"/>
>                </criteria>
>              </criteria>
>            </criteria>
>            <criterion comment="check that pam_tally2 account module is configured correctly" test_ref="oval:org.open-scap.f14:tst:200803"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200805" version="1">
>          <metadata>
>            <title>Do not leak information on authorization failure</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Authorization failures should not alert attackers as to what went wrong.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub (use required instead of sufficient)" test_ref="oval:org.open-scap.f14:tst:200805"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200806" version="1">
>          <metadata>
>            <title>Do not log authorization failures and successes</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Remove pam_succeed_if module with quiet option and remove auth pam_deny line.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub (check that pam_succeed_if is not there with quiet option)" test_ref="oval:org.open-scap.f14:tst:2008061"/>
>            <criterion comment="Unknown test stub (check that pam_deny is not there)" test_ref="oval:org.open-scap.f14:tst:2008062"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20081" version="1">
>          <metadata>
>            <title>Restrict Execution of userhelper to Console Users</title>
>            <reference ref_id="CCE-4185-5" source="CCE"/>
>            <description>The /usr/sbin/userhelper file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion comment="test group owner of /usr/sbin/userhelper file" test_ref="oval:org.open-scap.f14:tst:20081"/>
>            <criterion comment="test group existence" test_ref="oval:org.open-scap.f14:tst:200811"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20082" version="1">
>          <metadata>
>            <title>Restrict Execution of userhelper to Console Users</title>
>            <reference ref_id="CCE-3952-9" source="CCE"/>
>            <description>File permissions for /usr/sbin/userhelper should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check permissions of /usr/sbin/userhelper file" test_ref="oval:org.open-scap.f14:tst:20082"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20083" version="1">
>          <metadata>
>            <title>Set Password hashing algorithm</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The password hashing algorithm should be set correctly.</description>
>          </metadata>
>          <criteria operator="ONE">
>            <criteria>
>              <criterion comment="check that desired hashing algorithm is MD5" test_ref="oval:org.open-scap.f14:tst:200831"/>
>              <criterion comment="Make sure /etc/login.defs is set to use md5" test_ref="oval:org.open-scap.f14:tst:200832"/>
>            </criteria>
>            <criteria>
>              <criterion comment="check that desired hashing algorithm is not MD5 (negate previous test)" negate="true" test_ref="oval:org.open-scap.f14:tst:200831"/>
>              <criterion comment="Make sure /etc/login.defs is not set to use md5 (negate previous test)" negate="true" test_ref="oval:org.open-scap.f14:tst:200832"/>
>              <criterion comment="Make sure /etc/login.defs is set to use ENCRYPT_METHOD" test_ref="oval:org.open-scap.f14:tst:200833"/>
>              <criterion comment="Make sure /etc/pam.d/system-auth is set to use hashing algorithm" test_ref="oval:org.open-scap.f14:tst:200834"/>
>              <criterion comment="Make sure /etc/libuser.conf is set to use hashing algorithm as crypt_style" test_ref="oval:org.open-scap.f14:tst:200835"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20084" version="1">
>          <metadata>
>            <title>Limit password reuse</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The passwords to remember should be set correctly.</description>
>          </metadata>
>          <criteria operator="ONE">
>            <criteria>
>              <criterion comment="remember parameter is set to 0" test_ref="oval:org.open-scap.f14:tst:200841"/>
>            </criteria>
>            <criteria>
>              <criterion comment="remember parameter is set to 0 (note this is negated)" negate="true" test_ref="oval:org.open-scap.f14:tst:200841"/>
>              <criterion comment="check the /etc/pam.d/system-auth password module has a remember option set appropriately" test_ref="oval:org.open-scap.f14:tst:200842"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20085" version="1">
>          <metadata>
>            <title>Ensure that No Dangerous Directories Exist in Root's Path</title>
>            <reference ref_id="CCE-3301-9" source="CCE"/>
>            <description>The PATH variable should be set correctly for user root</description>
>          </metadata>
>          <criteria comment="(not OR) means PATH does not start with : or . AND PATH does not start with : or . AND PATH does not contain :: or :.:" negate="true" operator="OR">
>            <criterion comment="PATH starts with : or ." test_ref="oval:org.open-scap.f14:tst:200851"/>
>            <criterion comment="PATH ends with : or ." test_ref="oval:org.open-scap.f14:tst:200852"/>
>            <criterion comment="PATH contains :: or :.:" test_ref="oval:org.open-scap.f14:tst:200853"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:200855" version="1">
>          <metadata>
>            <title>Write permissions are disabled for group and other in all directories in Root's Path</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Check each directory in root's path and make use it does not grant write permission to group and other</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check that write permission to group and other in root's path is denied" test_ref="oval:org.open-scap.f14:tst:200855"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20086" version="1">
>          <metadata>
>            <title>Ensure that User Home Directories are not Group-Writable or World-Readable</title>
>            <reference ref_id="CCE-4090-7" source="CCE"/>
>            <description>File permissions should be set correctly for the home directories for all user accounts.</description>
>          </metadata>
>          <criteria comment="Both criterion are negated to get desired result">
>            <criterion comment="Home directories are group writable" test_ref="oval:org.open-scap.f14:tst:200861"/>
>            <criterion comment="Home directories are world readable" test_ref="oval:org.open-scap.f14:tst:200862"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20087" version="1">
>          <metadata>
>            <title>Ensure that Users Have Sensible Umask Values set for bash</title>
>            <reference ref_id="CCE-3844-8" source="CCE"/>
>            <description>The default umask for all users should be set correctly for the bash shell</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20087"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20088" version="1">
>          <metadata>
>            <title>Ensure that Users Have Sensible Umask Values set for csh</title>
>            <reference ref_id="CCE-4227-5" source="CCE"/>
>            <description>The default umask for all users should be set correctly for the csh shell</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20088"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20091" version="1">
>          <metadata>
>            <title>Check for existance of .netrc file</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>No user directory should contain file .netrc</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20092" version="1">
>          <metadata>
>            <title>Set Boot Loader Password</title>
>            <reference ref_id="CCE-4144-2" source="CCE"/>
>            <description>The /etc/grub.conf file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20092"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20093" version="1">
>          <metadata>
>            <title>Set Boot Loader Password</title>
>            <reference ref_id="CCE-4197-0" source="CCE"/>
>            <description>The /etc/grub.conf file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20093"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20094" version="1">
>          <metadata>
>            <title>Set Boot Loader Password</title>
>            <reference ref_id="CCE-3923-0" source="CCE"/>
>            <description>File permissions for /etc/grub.conf should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20094"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20095" version="1">
>          <metadata>
>            <title>Set Boot Loader Password</title>
>            <reference ref_id="CCE-3818-2" source="CCE"/>
>            <description>The grub boot loader should have password protection enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20095"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20096" version="1">
>          <metadata>
>            <title>Require Authentication for Single-User Mode</title>
>            <reference ref_id="CCE-4241-6" source="CCE"/>
>            <description>The requirement for a password to boot into single-user mode should be configured correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20096"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20097" version="1">
>          <metadata>
>            <title>Disable Interactive Boot</title>
>            <reference ref_id="CCE-4245-7" source="CCE"/>
>            <description>The ability for users to perform interactive startups should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20097"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20098" version="1">
>          <metadata>
>            <title>Implement Inactivity Time-out for Login Shells</title>
>            <reference ref_id="CCE-3689-7" source="CCE"/>
>            <description>The idle time-out value for the default /bin/tcsh shell should meet the minimum requirements.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20098"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20099" version="1">
>          <metadata>
>            <title>Implement Inactivity Time-out for Login Shells</title>
>            <reference ref_id="CCE-3707-7" source="CCE"/>
>            <description>The idle time-out value for the default /bin/bash shell should meet the minimum requirements.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:20099"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20100" version="1">
>          <metadata>
>            <title>Configure GUI Screen Locking</title>
>            <reference ref_id="CCE-3315-9" source="CCE"/>
>            <description>The allowed period of inactivity gnome desktop lockout should be configured correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of idle_delay in GCONF" test_ref="oval:org.open-scap.f14:tst:20100"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201005" version="1">
>          <metadata>
>            <title>Implement idle activation of screen saver</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Idle activation of the screen saver should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of idle_activation_enabled in GCONF" test_ref="oval:org.open-scap.f14:tst:201005"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201006" version="1">
>          <metadata>
>            <title>Implement idle activation of screen lock</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Idle activation of the screen lock should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check value of lock_enabled in GCONF" test_ref="oval:org.open-scap.f14:tst:201006"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201007" version="1">
>          <metadata>
>            <title>Implement blank screen saver</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The screen saver should be blank.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:201007"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20101" version="1">
>          <metadata>
>            <title>Configure GUI Screen Locking</title>
>            <reference ref_id="CCE-3910-7" source="CCE"/>
>            <description>The vlock package should be installed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20101"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20102" version="1">
>          <metadata>
>            <title>Modify the System Login Banner</title>
>            <reference ref_id="CCE-4060-0" source="CCE"/>
>            <description>The system login banner text should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/issue is set appropriately" test_ref="oval:org.open-scap.f14:tst:20102"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20103" version="1">
>          <metadata>
>            <title>Implement a GUI Warning Banner</title>
>            <reference ref_id="CCE-4188-9" source="CCE"/>
>            <description>The direct gnome login warning banner should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check that the GConf setting for the login banner is set correctly" test_ref="oval:org.open-scap.f14:tst:20103"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201035" version="1">
>          <metadata>
>            <title>Ensure SELinux is Properly Enabled</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Check output of /usr/sbin/sestatus.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20104" version="1">
>          <metadata>
>            <title>Enable SELinux</title>
>            <reference ref_id="CCE-3977-6" source="CCE"/>
>            <description>SELinux should be enabled</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20104"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20105" version="1">
>          <metadata>
>            <title>Enable SELinux enforcing</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>SELinux should be enforcing in the bootloader</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20105"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20106" version="1">
>          <metadata>
>            <title>Enable SELinux state</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The SELinux state should be set appropriately.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20106"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20107" version="1">
>          <metadata>
>            <title>Enable SELinux</title>
>            <reference ref_id="CCE-3624-4" source="CCE"/>
>            <description>The SELinux policy should be set appropriately.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20107"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20108" version="1">
>          <metadata>
>            <title>Disable and Remove SETroubleshoot if Possible</title>
>            <reference ref_id="CCE-4148-3" source="CCE"/>
>            <description>The setroubleshoot package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20108"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20109" version="1">
>          <metadata>
>            <title>Disable and Remove SETroubleshoot if Possible</title>
>            <reference ref_id="CCE-4254-9" source="CCE"/>
>            <description>The setroubleshoot service should be disabled.</description>
>          </metadata>
>          <criteria comment="The setroubleshoot package should be uninstalled or conditions are met" operator="OR">
>            <extend_definition comment="setroubleshoot is not installed" definition_ref="oval:org.open-scap.f14:def:20108"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20109"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20110" version="1">
>          <metadata>
>            <title>Disable MCS Translation Service (mcstrans) if Possible</title>
>            <reference ref_id="CCE-3668-1" source="CCE"/>
>            <description>The mcstrans service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20110"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201115" version="1">
>          <metadata>
>            <title>Check for Unconfined Daemons</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Check for device ï¬le that is not labeled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20111" version="1">
>          <metadata>
>            <title>Restorecon Service (restorecond)</title>
>            <reference ref_id="CCE-4129-3" source="CCE"/>
>            <description>The restorecond service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20111"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20112" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts Only</title>
>            <reference ref_id="CCE-4151-7" source="CCE"/>
>            <description>The default setting for sending ICMP redirects should be disabled for network interfaces.</description>
>            <tested_by name="dkopecek" time="1282130094"/>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201120"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201121"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201122"/>
>            </criteria>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20113" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts Only</title>
>            <reference ref_id="CCE-4155-8" source="CCE"/>
>            <description>Sending ICMP redirects should be disabled for all interfaces.</description>
>            <tested_by name="dkopecek" time="1282130094"/>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201130"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201131"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201132"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20114" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts Only</title>
>            <reference ref_id="CCE-3561-8" source="CCE"/>
>            <description>IP forwarding should be disabled.</description>
>            <tested_by name="dkopecek" time="1282130094"/>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201140"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201141"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201142"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20115" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4236-6" source="CCE"/>
>            <description>Accepting source routed packets should be enabled or disabled for all interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201150"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201151"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201152"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20116" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4217-6" source="CCE"/>
>            <description>Accepting ICMP redirects should be enabled or disabled for all interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201160"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201161"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201162"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20117" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-3472-8" source="CCE"/>
>            <description>Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for all interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201170"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201171"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201172"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20118" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4320-8" source="CCE"/>
>            <description>Logging of "martian" packets (those with impossible addresses) should be enabled or disabled for all interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201180"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201181"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201182"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20119" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4091-5" source="CCE"/>
>            <description>The default setting for accepting source routed packets should be enabled or disabled for network interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201190"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201191"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201192"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20120" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4186-3" source="CCE"/>
>            <description>The default setting for accepting ICMP redirects should be enabled or disabled for network interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201200"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201201"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201202"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20121" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-3339-9" source="CCE"/>
>            <description>The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for network interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201210"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201211"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201212"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20122" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-3644-2" source="CCE"/>
>            <description>Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled or disabled as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201220"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201221"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201222"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20123" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4133-5" source="CCE"/>
>            <description>Ignoring bogus ICMP responses to broadcasts should be enabled or disabled as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201230"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201231"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201232"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20124" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4265-5" source="CCE"/>
>            <description>Sending TCP syncookies should be enabled or disabled as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201240"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201241"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201242"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20125" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-4080-8" source="CCE"/>
>            <description>Performing source validation by reverse path should be enabled or disabled for all interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201250"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201251"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201252"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20126" version="1">
>          <metadata>
>            <title>Network Parameters for Hosts and Routers</title>
>            <reference ref_id="CCE-3840-6" source="CCE"/>
>            <description>The default setting for performing source validation by reverse path should be enabled or disabled for network interfaces as appropriate.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion test_ref="oval:org.open-scap.f14:tst:201260"/>
>            <criteria operator="OR">
>              <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201261"/>
>              <criterion test_ref="oval:org.open-scap.f14:tst:201262"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20127" version="1">
>          <metadata>
>            <title>Disable Wireless in BIOS</title>
>            <reference ref_id="CCE-3628-5" source="CCE"/>
>            <description>All wireless devices should be disabled in the BIOS.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20128" version="1">
>          <metadata>
>            <title>Deactivate Wireless Interfaces</title>
>            <reference ref_id="CCE-4276-2" source="CCE"/>
>            <description>All wireless interfaces should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Find wireless interfaces" test_ref="oval:org.open-scap.f14:tst:20128"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20129" version="1">
>          <metadata>
>            <title>Disable Wireless Drivers</title>
>            <reference ref_id="CCE-4170-7" source="CCE"/>
>            <description>Device drivers for wireless devices should be excluded from the kernel.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20129"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20130" version="1">
>          <metadata>
>            <title>Disable Automatic Loading of IPv6 Kernel Module</title>
>            <reference ref_id="CCE-3562-6" source="CCE"/>
>            <description>Automatic loading of the IPv6 kernel module should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20130"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20131" version="1">
>          <metadata>
>            <title>Disable Interface Usage of IPv6</title>
>            <reference ref_id="CCE-3381-1" source="CCE"/>
>            <description>The default setting for IPv6 configuration should be disabled for network interfaces.</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20131"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20132" version="1">
>          <metadata>
>            <title>Disable Interface Usage of IPv6</title>
>            <reference ref_id="CCE-3377-9" source="CCE"/>
>            <description>Global IPv6 initialization should be disabled.</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20132"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20133" version="1">
>          <metadata>
>            <title>Disable Interface Usage of IPv6</title>
>            <reference ref_id="CCE-4296-0" source="CCE"/>
>            <description>IPv6 configuration should be disabled for all interfaces.</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20133"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20134" version="1">
>          <metadata>
>            <title>Disable Automatic Configuration</title>
>            <reference ref_id="CCE-4269-7" source="CCE"/>
>            <description>Accepting IPv6 router advertisements should be disabled for all network interfaces.</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20134"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20135" version="1">
>          <metadata>
>            <title>Disable Automatic Configuration</title>
>            <reference ref_id="CCE-4291-1" source="CCE"/>
>            <description>The default setting for accepting IPv6 router advertisements should be disabled for network interfaces. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20136" version="1">
>          <metadata>
>            <title>Disable Automatic Configuration</title>
>            <reference ref_id="CCE-4313-3" source="CCE"/>
>            <description>Accepting redirects from IPv6 routers should be disabled as appropriate for all network interfaces. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20137" version="1">
>          <metadata>
>            <title>Disable Automatic Configuration</title>
>            <reference ref_id="CCE-4198-8" source="CCE"/>
>            <description>The default setting for accepting redirects from IPv6 routers should be disabled for network interfaces. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20138" version="1">
>          <metadata>
>            <title>Use Privacy Extensions for Address if Necessary</title>
>            <reference ref_id="CCE-3842-2" source="CCE"/>
>            <description>IPv6 privacy extensions should be configured appropriately for all interfaces. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 kernel module is not loaded or this feature should be disabled" operator="OR">
>            <extend_definition comment="Automatic loading of the IPv6 kernel module should be disabled" definition_ref="oval:org.open-scap.f14:def:20130"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20139" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4159-0" source="CCE"/>
>            <description>The default number of IPv6 router solicitations for network interfaces to send should be set appropriately. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201390"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201391"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201392"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20140" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4221-8" source="CCE"/>
>            <description>The default setting for accepting router preference via IPv6 router advertisement should be disabled for network interfaces. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201400"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201401"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201402"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20141" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4058-4" source="CCE"/>
>            <description>The default setting for accepting prefix information via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201410"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201411"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201412"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20142" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4128-5" source="CCE"/>
>            <description>The default setting for accepting a default router via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201420"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201421"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201422"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20143" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4287-9" source="CCE"/>
>            <description>The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be enabled or disabled as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201430"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201431"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201432"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20144" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-3895-0" source="CCE"/>
>            <description>The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be set appropriately. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201440"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201441"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201442"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20145" version="1">
>          <metadata>
>            <title>Limit Network-Transmitted Configuration</title>
>            <reference ref_id="CCE-4137-6" source="CCE"/>
>            <description>The default number of global unicast IPv6 addresses allowed per network interface should be set appropriately. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Either IPv6 is disabled or this feature should be" operator="OR">
>            <extend_definition comment="The default setting for IPv6 configuration should be disabled for network interfaces" definition_ref="oval:org.open-scap.f14:def:20131"/>
>            <extend_definition comment="Global IPv6 initialization should be disabled" definition_ref="oval:org.open-scap.f14:def:20132"/>
>            <extend_definition comment="IPv6 configuration should be disabled for all interfaces" definition_ref="oval:org.open-scap.f14:def:20133"/>
>            <criteria operator="AND">
>              <criterion test_ref="oval:org.open-scap.f14:tst:201450"/>
>              <criteria operator="OR">
>                <criterion negate="true" test_ref="oval:org.open-scap.f14:tst:201451"/>
>                <criterion test_ref="oval:org.open-scap.f14:tst:201452"/>
>              </criteria>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20146" version="1">
>          <metadata>
>            <title>Verify ip6tables is enabled</title>
>            <reference ref_id="CCE-4167-3" source="CCE"/>
>            <description>The ip6tables service should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20146"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20147" version="1">
>          <metadata>
>            <title>Inspect and Activate Default Rules </title>
>            <reference ref_id="CCE-4189-7" source="CCE"/>
>            <description>The iptables service should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20147"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201474" version="1">
>          <metadata>
>            <title>Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Change the default policy to DROP (from ACCEPT) for the INPUT built-in chain.</description>
>          </metadata>
>          <criteria>
>            <criterion comment=":INPUT DROP [0:0]" test_ref="oval:org.open-scap.f14:tst:2014741"/>
>            <criterion comment=":INPUT ACCEPT [0:0]" negate="true" test_ref="oval:org.open-scap.f14:tst:2014742"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201475" version="1">
>          <metadata>
>            <title>Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Change the default policy to DROP (from ACCEPT) for the FORWARD built-in chain.</description>
>          </metadata>
>          <criteria>
>            <criterion comment=":FORWARD DROP [0:0]" test_ref="oval:org.open-scap.f14:tst:2014751"/>
>            <criterion comment=":FORWARD ACCEPT [0:0]" negate="true" test_ref="oval:org.open-scap.f14:tst:2014752"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20148" version="1">
>          <metadata>
>            <title>Configure Syslog</title>
>            <reference ref_id="CCE-3679-8" source="CCE"/>
>            <description>The syslog service should be enabled or disabled as appropriate.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20148"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20149" version="1">
>          <metadata>
>            <title>Confirm Existence and Permissions of System Log Files </title>
>            <reference ref_id="CCE-4366-1" source="CCE"/>
>            <description>All mandatory log files should be owned by root user.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion comment="check if user owns all mandatory log files" test_ref="oval:org.open-scap.f14:tst:20149"/>
>            <criterion comment="check if user exists" test_ref="oval:org.open-scap.f14:tst:201491"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20150" version="1">
>          <metadata>
>            <title>Confirm Existence and Permissions of System Log Files</title>
>            <reference ref_id="CCE-3701-0" source="CCE"/>
>            <description>All syslog log files should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria operator="AND">
>            <criterion comment="check if group root owns all syslog log files" test_ref="oval:org.open-scap.f14:tst:20150"/>
>            <criterion comment="check if group exists" test_ref="oval:org.open-scap.f14:tst:201501"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20151" version="1">
>          <metadata>
>            <title>Confirm Existence and Permissions of System Log Files </title>
>            <reference ref_id="CCE-4233-3" source="CCE"/>
>            <description>File permissions for all syslog log files should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check permissions of all syslog log files" test_ref="oval:org.open-scap.f14:tst:20151"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20152" version="1">
>          <metadata>
>            <title>Send Logs to a Remote Loghost </title>
>            <reference ref_id="CCE-4260-6" source="CCE"/>
>            <description>Syslog logs should be sent to a remote loghost</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20152"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20153" version="1">
>          <metadata>
>            <title>Disable syslogd from Accepting Remote Messages on Loghosts Only</title>
>            <reference ref_id="CCE-3382-9" source="CCE"/>
>            <description>Syslogd should reject remote messages</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20153"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20155" version="1">
>          <metadata>
>            <title>Monitor Suspicious Log Messages using Logwatch</title>
>            <reference ref_id="CCE-4323-2" source="CCE"/>
>            <description>The logwatch service should be enabled or disabled as appropriate</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20156" version="1">
>          <metadata>
>            <title>Enable the auditd Service</title>
>            <reference ref_id="CCE-4292-9" source="CCE"/>
>            <description>The auditd service should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20156"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20157" version="1">
>          <metadata>
>            <title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Look for argument audit=1 in the kernel line in /etc/grub.conf</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for audit=1 in /etc/grub.conf" test_ref="oval:org.open-scap.f14:tst:20157"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201575" version="1">
>          <metadata>
>            <title>Records Events that Modify Date and Time Information</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about time are enabled</description>
>          </metadata>
>          <criteria>
>            <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>              <criteria comment="32bit arch">
>                <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>                <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change" test_ref="oval:org.open-scap.f14:tst:2015750"/>
>                <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S clock_settime -k time-change" test_ref="oval:org.open-scap.f14:tst:2015751"/>
>              </criteria>
>              <criteria comment="62bit arch">
>                <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>                <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S adjtimex -S settimeofday -S stime -k time-change" test_ref="oval:org.open-scap.f14:tst:2015752"/>
>                <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S clock_settime -k time-change" test_ref="oval:org.open-scap.f14:tst:2015753"/>
>              </criteria>
>            </criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/localtime -p wa -k time-change" test_ref="oval:org.open-scap.f14:tst:2015754"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20158" version="1">
>          <metadata>
>            <title>Record Events that Modify User/Group Information</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about User/Group Information are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/group -p wa -k identity" test_ref="oval:org.open-scap.f14:tst:201580"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/passwd -p wa -k identity" test_ref="oval:org.open-scap.f14:tst:201581"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/gshadow -p wa -k identity" test_ref="oval:org.open-scap.f14:tst:201582"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/shadow -p wa -k identity" test_ref="oval:org.open-scap.f14:tst:201583"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/security/opasswd -p wa -k identity" test_ref="oval:org.open-scap.f14:tst:201584"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20159" version="1">
>          <metadata>
>            <title>Record Events that Modify the Systemâs Network Environment</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Systemâs Network Environment are enabled</description>
>          </metadata>
>          <criteria>
>            <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>              <criteria comment="32bit arch">
>                <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>                <criterion comment="/etc/audit/audit.rules contains -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale" test_ref="oval:org.open-scap.f14:tst:201590"/>
>              </criteria>
>              <criteria comment="62bit arch">
>                <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>                <criterion comment="/etc/audit/audit.rules contains -a exit,always -F arch=ARCH -S sethostname -S setdomainname -k system-locale" test_ref="oval:org.open-scap.f14:tst:201591"/>
>              </criteria>
>            </criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/issue -p wa -k system-locale" test_ref="oval:org.open-scap.f14:tst:201592"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/issue.net -p wa -k system-locale" test_ref="oval:org.open-scap.f14:tst:201593"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/hosts -p wa -k system-locale" test_ref="oval:org.open-scap.f14:tst:201594"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/sysconfig/network -p wa -k system-locale" test_ref="oval:org.open-scap.f14:tst:201595"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20160" version="1">
>          <metadata>
>            <title>Record Events that Modify the Systemâs Mandatory Access Controls</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Systemâs Mandatory Access Controls are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/selinux/ -p wa -k MAC-policy" test_ref="oval:org.open-scap.f14:tst:20160"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20161" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Logon and Logout Events</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Logon and Logout Events are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /var/log/faillog -p wa -k logins" test_ref="oval:org.open-scap.f14:tst:201610"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /var/log/lastlog -p wa -k logins" test_ref="oval:org.open-scap.f14:tst:201611"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20162" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Process and Session Initiation Information</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Process and Session Initiation Information are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /var/run/utmp -p wa -k session" test_ref="oval:org.open-scap.f14:tst:201620"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /var/log/btmp -p wa -k session" test_ref="oval:org.open-scap.f14:tst:201621"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /var/log/wtmp -p wa -k session" test_ref="oval:org.open-scap.f14:tst:201622"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20163" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Discretionary Access Control Permission Modiï¬cation Events</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Discretionary Access Control Permission Modiï¬cation Events are enabled</description>
>          </metadata>
>          <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>            <criteria comment="32bit arch">
>              <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201630"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201631"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201632"/>
>            </criteria>
>            <criteria comment="62bit arch">
>              <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201633"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201634"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" test_ref="oval:org.open-scap.f14:tst:201635"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20164" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Unauthorized Access Attempts to Files (unsuccessful) are enabled</description>
>          </metadata>
>          <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>            <criteria comment="32bit arch">
>              <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access" test_ref="oval:org.open-scap.f14:tst:201640"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access" test_ref="oval:org.open-scap.f14:tst:201641"/>
>            </criteria>
>            <criteria comment="62bit arch">
>              <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access" test_ref="oval:org.open-scap.f14:tst:201642"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access" test_ref="oval:org.open-scap.f14:tst:201643"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20165" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Information on the Use of Privileged Commands</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Information on the Use of Privileged Commands are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F auid!=4294967295 -k privileged" test_ref="oval:org.open-scap.f14:tst:20165"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20166" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Information on Exporting to Media (successful)</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Information on Exporting to Media (successful) are enabled</description>
>          </metadata>
>          <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>            <criteria comment="32bit arch">
>              <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export" test_ref="oval:org.open-scap.f14:tst:201660"/>
>            </criteria>
>            <criteria comment="62bit arch">
>              <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export" test_ref="oval:org.open-scap.f14:tst:201661"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20167" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Files Deletion Events by User (successful and unsuccessful)</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Files Deletion Events by User (successful and unsuccessful) are enabled</description>
>          </metadata>
>          <criteria comment="Architecture is 32 bit or 64 bit" operator="OR">
>            <criteria comment="32bit arch">
>              <criterion comment="check that arch is i386 or i686" test_ref="oval:org.open-scap.f14:tst:201670"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete" test_ref="oval:org.open-scap.f14:tst:201671"/>
>            </criteria>
>            <criteria comment="62bit arch">
>              <criterion comment="check that arch is x86_64 ia64 amd64 ppc64 s390x" test_ref="oval:org.open-scap.f14:tst:201672"/>
>              <criterion comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete" test_ref="oval:org.open-scap.f14:tst:201673"/>
>            </criteria>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20168" version="1">
>          <metadata>
>            <title>Ensure auditd Collects System Administrator Actions</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the System Administrator Actions are enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="/etc/audit/audit.rules contains -w /etc/sudoers -p wa -k actions" test_ref="oval:org.open-scap.f14:tst:20168"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201685" version="1">
>          <metadata>
>            <title>Ensure auditd Collects Information on Kernel Module Loading and Unloading</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Audit rules about the Information on Kernel Module Loading and Unloading.</description>
>          </metadata>
>          <criteria>
>            
>            <criterion comment="/etc/audit/audit.rules contains -w /sbin/rmmod -p x -k modules" test_ref="oval:org.open-scap.f14:tst:2016852"/>
>            <criterion comment="/etc/audit/audit.rules contains -w /sbin/modprobe -p x -k modules" test_ref="oval:org.open-scap.f14:tst:2016853"/>
>            <criterion comment="/etc/audit/audit.rules contains -a always,exit -S init_module -S delete_module -k modules" test_ref="oval:org.open-scap.f14:tst:2016854"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20169" version="1">
>          <metadata>
>            <title>Make the auditd Conï¬guration Immutable</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Force a reboot to change audit rules is enabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="look in /etc/audit/audit.rules for -e 2" test_ref="oval:org.open-scap.f14:tst:20169"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20170" version="1">
>          <metadata>
>            <title>Inetd and Xinetd</title>
>            <reference ref_id="CCE-4234-1" source="CCE"/>
>            <description>The inetd service should be disabled.</description>
>          </metadata>
>          <criteria comment="inetd is not installed or conditions are met" operator="OR">
>            <extend_definition comment="inetd is not installed" definition_ref="oval:org.open-scap.f14:def:20172"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20170"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20171" version="1">
>          <metadata>
>            <title>Inetd and Xinetd</title>
>            <reference ref_id="CCE-4252-3" source="CCE"/>
>            <description>The xinetd service should be disabled.</description>
>          </metadata>
>          <criteria comment="xinetd is not installed or conditions are met" operator="OR">
>            <extend_definition comment="xinetd is not installed" definition_ref="oval:org.open-scap.f14:def:20173"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20171"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20172" version="1">
>          <metadata>
>            <title>Inetd and Xinetd</title>
>            <reference ref_id="CCE-4023-8" source="CCE"/>
>            <description>The inetd package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20172"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20173" version="1">
>          <metadata>
>            <title>Inetd and Xinetd</title>
>            <reference ref_id="CCE-4164-0" source="CCE"/>
>            <description>The xinetd package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20173"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20174" version="1">
>          <metadata>
>            <title>Telnet</title>
>            <reference ref_id="CCE-4330-7" source="CCE"/>
>            <description>The telnet-server package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20174"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201745" version="1">
>          <metadata>
>            <title>Disable Telnet service</title>
>            <reference ref_id="CCE-3390-2" source="CCE"/>
>            <description>The telnet service should be disabled.</description>
>          </metadata>
>          <criteria comment="telnet is not installed or conditions are met" operator="OR">
>            <extend_definition comment="telnet is not installed" definition_ref="oval:org.open-scap.f14:def:20174"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:201745"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20175" version="1">
>          <metadata>
>            <title>Telnet Client installation</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The telnet package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20175"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20176" version="1">
>          <metadata>
>            <title>Telnet kerberos client</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The krb5-workstation package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20176"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20177" version="1">
>          <metadata>
>            <title>Remove the Rsh Server Commands from the System</title>
>            <reference ref_id="CCE-4308-3" source="CCE"/>
>            <description>The rsh-server package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20177"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201774" version="1">
>          <metadata>
>            <title>disable rcp</title>
>            <reference ref_id="CCE-3974-3" source="CCE"/>
>            <description>The rcp service should be disabled.</description>
>          </metadata>
>          <criteria comment="telnet-server is not installed or conditions are met" operator="OR">
>            <extend_definition comment="rsh-server is not installed" definition_ref="oval:org.open-scap.f14:def:20177"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201775" version="1">
>          <metadata>
>            <title>disable rsh</title>
>            <reference ref_id="CCE-4141-8" source="CCE"/>
>            <description>The rsh service should be disabled.</description>
>          </metadata>
>          <criteria comment="telnet-server is not installed or conditions are met" operator="OR">
>            <extend_definition comment="rsh-server is not installed" definition_ref="oval:org.open-scap.f14:def:20177"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:201775"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201776" version="1">
>          <metadata>
>            <title>disable rlogin</title>
>            <reference ref_id="CCE-3537-8" source="CCE"/>
>            <description>The rlogin service should be disabled.</description>
>          </metadata>
>          <criteria comment="telnet-server is not installed or conditions are met" operator="OR">
>            <extend_definition comment="rsh-server is not installed" definition_ref="oval:org.open-scap.f14:def:20177"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:201776"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20178" version="1">
>          <metadata>
>            <title>Remove .rhosts Support from PAM Configuration Files</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Check that pam rhosts authentication is not used by any PAM services.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20178"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20179" version="1">
>          <metadata>
>            <title>Remove the Rsh Client Commands from the System</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The rsh package, which contains client programs for many of r-commands should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20179"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20180" version="1">
>          <metadata>
>            <title>NIS</title>
>            <reference ref_id="CCE-4348-9" source="CCE"/>
>            <description>The ypserv package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20180"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20181" version="1">
>          <metadata>
>            <title>NIS</title>
>            <reference ref_id="CCE-3705-1" source="CCE"/>
>            <description>The ypbind service should be disabled.</description>
>          </metadata>
>          <criteria comment="ypserv is not installed or conditions are met" operator="OR">
>            <extend_definition comment="ypserv is not installed" definition_ref="oval:org.open-scap.f14:def:20180"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20181"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20182" version="1">
>          <metadata>
>            <title>Uninstall TFTP Server</title>
>            <reference ref_id="CCE-3916-4" source="CCE"/>
>            <description>The tftp-server package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20182"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:201825" version="1">
>          <metadata>
>            <title>Disable TFTP Server</title>
>            <reference ref_id="CCE-4273-9" source="CCE"/>
>            <description>The tftp service should be disabled.</description>
>          </metadata>
>          <criteria comment="tftp-server is not installed or conditions are met" operator="OR">
>            <extend_definition comment="tftp-server is not installed" definition_ref="oval:org.open-scap.f14:def:20182"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:201825"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20183" version="1">
>          <metadata>
>            <title>Installation Helper Service (firstboot)</title>
>            <reference ref_id="CCE-3412-4" source="CCE"/>
>            <description>The firstboot service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20183"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20184" version="1">
>          <metadata>
>            <title>Console Mouse Service (gpm)</title>
>            <reference ref_id="CCE-4229-1" source="CCE"/>
>            <description>The gpm service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20184"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20185" version="1">
>          <metadata>
>            <title>Interrupt Distribution on Multiprocessor Systems (irqbalance)</title>
>            <reference ref_id="CCE-4123-6" source="CCE"/>
>            <description>The irqbalance service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20185"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20186" version="1">
>          <metadata>
>            <title>ISDN Support (isdn)</title>
>            <reference ref_id="CCE-4286-1" source="CCE"/>
>            <description>The isdn service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20186"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20187" version="1">
>          <metadata>
>            <title>Kdump Kernel Crash Analyzer (kdump)</title>
>            <reference ref_id="CCE-3425-6" source="CCE"/>
>            <description>The kdump service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20187"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20188" version="1">
>          <metadata>
>            <title>Kudzu Hardware Probing Utility (kudzu)</title>
>            <reference ref_id="CCE-4211-9" source="CCE"/>
>            <description>The kudzu service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20188"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20189" version="1">
>          <metadata>
>            <title>Software RAID Monitor (mdmonitor)</title>
>            <reference ref_id="CCE-3854-7" source="CCE"/>
>            <description>The mdmonitor service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20189"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20190" version="1">
>          <metadata>
>            <title>IA32 Microcode Utility(microcodectl)</title>
>            <reference ref_id="CCE-4356-2" source="CCE"/>
>            <description>The microcode_ctl service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20190"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20191" version="1">
>          <metadata>
>            <title>Disable All Networking if Not Needed</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The network service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20191"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20192" version="1">
>          <metadata>
>            <title>Disable All External Network Interfaces if Not Needed</title>
>            <reference ref_id="CCE-4369-5" source="CCE"/>
>            <description>All files of the form ifcfg-interface except
>                              for ifcfg-lo in /etc/sysconfig/network-scripts should be removed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20192"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20193" version="1">
>          <metadata>
>            <title>Disable Zeroconf Networking</title>
>            <reference ref_id="CCE-4369-5" source="CCE"/>
>            <description>Disable Zeroconf automatic route assignment in the 169.245.0.0 subnet.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Look for NOZEROCONF=yes in /etc/sysconfig/network" test_ref="oval:org.open-scap.f14:tst:20193"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20194" version="1">
>          <metadata>
>            <title>Smart Card Support (pcscd)</title>
>            <reference ref_id="CCE-4100-4" source="CCE"/>
>            <description>The pcscd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20194"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20195" version="1">
>          <metadata>
>            <title>SMART Disk Monitoring Support (smartd)</title>
>            <reference ref_id="CCE-3455-3" source="CCE"/>
>            <description>The smartd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20195"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20196" version="1">
>          <metadata>
>            <title>Boot Caching (readahead early/readahead later)</title>
>            <reference ref_id="CCE-4421-4" source="CCE"/>
>            <description>The readahead_early service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20196"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20197" version="1">
>          <metadata>
>            <title>Boot Caching (readahead early/readahead later)</title>
>            <reference ref_id="CCE-4302-6" source="CCE"/>
>            <description>The readahead_later service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20197"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20198" version="1">
>          <metadata>
>            <title>D-Bus IPC Service (messagebus)</title>
>            <reference ref_id="CCE-3822-4" source="CCE"/>
>            <description>The messagebus service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20198"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20199" version="1">
>          <metadata>
>            <title>HAL Daemon (haldaemon)</title>
>            <reference ref_id="CCE-4364-6" source="CCE"/>
>            <description>The haldaemon service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20199"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20200" version="1">
>          <metadata>
>            <title>Bluetooth Host Controller Interface Daemon (bluetooth)</title>
>            <reference ref_id="CCE-4355-4" source="CCE"/>
>            <description>The bluetooth service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20200"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20201" version="1">
>          <metadata>
>            <title>Bluetooth Input Devices (hidd)</title>
>            <reference ref_id="CCE-4377-8" source="CCE"/>
>            <description>The hidd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20201"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202015" version="1">
>          <metadata>
>            <title>Disable Bluetooth Kernel Modules</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Prevent loading of the Bluetooth module.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check that net-pf-31 is off in /etc/modprobe.conf" test_ref="oval:org.open-scap.f14:tst:2020151"/>
>            <criterion comment="check that bluetooth is off in /etc/modprobe.conf" test_ref="oval:org.open-scap.f14:tst:2020152"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20202" version="1">
>          <metadata>
>            <title>Advanced Power Management Subsystem (apmd)</title>
>            <reference ref_id="CCE-4289-5" source="CCE"/>
>            <description>The apmd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20202"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20203" version="1">
>          <metadata>
>            <title>Advanced Configuration and Power Interface (acpid)</title>
>            <reference ref_id="CCE-4298-6" source="CCE"/>
>            <description>The acpid service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20203"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20204" version="1">
>          <metadata>
>            <title>CPU Throttling (cpuspeed)</title>
>            <reference ref_id="CCE-4051-9" source="CCE"/>
>            <description>The cpuspeed service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20204"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20205" version="1">
>          <metadata>
>            <title>Cron Daemon running state</title>
>            <reference ref_id="CCE-4324-0" source="CCE"/>
>            <description>The crond service should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20205"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202052" version="1">
>          <metadata>
>            <title>At Daemon running state</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The atd service should be disabled.</description>
>          </metadata>
>          <criteria comment="at is not installed or conditions are met" operator="OR">
>            <extend_definition comment="at is not installed" definition_ref="oval:org.open-scap.f14:def:202053"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:202052"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202053" version="1">
>          <metadata>
>            <title>At Daemons package is installed</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The at package should be removed.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check for package at" test_ref="oval:org.open-scap.f14:tst:202053"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20206" version="1">
>          <metadata>
>            <title>Disable anacron if Possible</title>
>            <reference ref_id="CCE-4406-5" source="CCE"/>
>            <description>The anacron service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20206"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20207" version="1">
>          <metadata>
>            <title>Disable anacron if Possible</title>
>            <reference ref_id="CCE-4428-9" source="CCE"/>
>            <description>The anacron package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20207"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20208" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3626-9" source="CCE"/>
>            <description>The /etc/crontab file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20208"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20209" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3851-3" source="CCE"/>
>            <description>The /etc/crontab file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20209"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20210" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4388-5" source="CCE"/>
>            <description>File permissions for /etc/crontab should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20210"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20211" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3604-6" source="CCE"/>
>            <description>The /etc/anacrontab file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20211"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20212" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4379-4" source="CCE"/>
>            <description>The /etc/anacrontab file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20212"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20213" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4304-2" source="CCE"/>
>            <description>File permissions for /etc/anacrontab should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20213"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20214" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4054-3" source="CCE"/>
>            <description>The /etc/cron.hourly file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20214"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20215" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3481-9" source="CCE"/>
>            <description>The /etc/cron.daily file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20215"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20216" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4331-5" source="CCE"/>
>            <description>The /etc/cron.weekly file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20216"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20217" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4322-4" source="CCE"/>
>            <description>The /etc/cron.monthly file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20217"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20218" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4212-7" source="CCE"/>
>            <description>The /etc/cron.d file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20218"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20219" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3983-4" source="CCE"/>
>            <description>The /etc/cron.hourly file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20219"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20220" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4022-0" source="CCE"/>
>            <description>The /etc/cron.daily file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20220"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20221" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-3833-1" source="CCE"/>
>            <description>The /etc/cron.weekly file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20221"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20222" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4441-2" source="CCE"/>
>            <description>The /etc/cron.monthly file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20222"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20223" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4380-2" source="CCE"/>
>            <description>The /etc/cron.d file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20223"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20224" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4106-1" source="CCE"/>
>            <description>File permissions for /etc/cron.hourly should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20224"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20225" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4450-3" source="CCE"/>
>            <description>File permissions for /etc/cron.daily should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20225"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20226" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4203-6" source="CCE"/>
>            <description>File permissions for /etc/cron.weekly should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20226"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20227" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4251-5" source="CCE"/>
>            <description>File permissions for /etc/cron.monthly should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20227"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20228" version="1">
>          <metadata>
>            <title>Restrict Permissions on Files Used by cron</title>
>            <reference ref_id="CCE-4250-7" source="CCE"/>
>            <description>File permissions for /etc/cron.d should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20228"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20229" version="1">
>          <metadata>
>            <title>Restrict group owner on /var/spool/cron file</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The /var/spool/cron file should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20229"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20230" version="1">
>          <metadata>
>            <title>Restrict user owner on /var/spool/cron file</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The /var/spool/cron file should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20230"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20231" version="1">
>          <metadata>
>            <title>Restrict Permissions on /var/spool/cron file</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>File permissions for /var/spool/cron should be set correctly.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20231"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20232" version="1">
>          <metadata>
>            <title>Remove /etc/cron.deny</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>/etc/cron.deny file should not exist.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check existence of file /etc/cron.deny" test_ref="oval:org.open-scap.f14:tst:20232"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20233" version="1">
>          <metadata>
>            <title>Remove /etc/at.deny</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>/etc/at.deny file should not exist.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check existence of file /etc/at.deny" test_ref="oval:org.open-scap.f14:tst:20233"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20234" version="1">
>          <metadata>
>            <title>Disable OpenSSH Software</title>
>            <reference ref_id="CCE-4268-9" source="CCE"/>
>            <description>The sshd service should be disabled.</description>
>          </metadata>
>          <criteria comment="SSH is not installed or conditions are met" operator="OR">
>            <extend_definition comment="ssh is not installed" definition_ref="oval:org.open-scap.f14:def:20235"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20234"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20235" version="1">
>          <metadata>
>            <title>Remove OpenSSH Software</title>
>            <reference ref_id="CCE-4272-1" source="CCE"/>
>            <description>SSH should be uninstalled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20235"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20236" version="1">
>          <metadata>
>            <title>Remove SSH Server iptables Firewall Exception</title>
>            <reference ref_id="CCE-4295-2" source="CCE"/>
>            <description>Inbound connections to the ssh port should be denied (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Remove IPv4 inbound connections" test_ref="oval:org.open-scap.f14:tst:20236"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20237" version="1">
>          <metadata>
>            <title>Remove SSH Server ip6tables Firewall Exception</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Inbound connections to the ssh port should be denied (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Remove IPv6 inbound connections" test_ref="oval:org.open-scap.f14:tst:20237"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20238" version="1">
>          <metadata>
>            <title>Ensure Only Protocol 2 Connections Allowed</title>
>            <reference ref_id="CCE-4325-7" source="CCE"/>
>            <description>SSH version 1 protocol support should be disabled. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20238"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20239" version="1">
>          <metadata>
>            <title>Set Idle Timeout Interval for User Logins</title>
>            <reference ref_id="CCE-3845-5" source="CCE"/>
>            <description>The SSH idle timout interval should be set to an appropriate value (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:org.open-scap.f14:tst:20239"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20240" version="1">
>          <metadata>
>            <title>Set ClientAliveCountMax for User Logins</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>The SSH ClientAliveCountMax should be set to an appropriate value (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:org.open-scap.f14:tst:20240"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20241" version="1">
>          <metadata>
>            <title>Disable .rhosts Files</title>
>            <reference ref_id="CCE-4475-0" source="CCE"/>
>            <description>Emulation of the rsh command through the ssh server should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20241"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20242" version="1">
>          <metadata>
>            <title>Disable Host-Based Authentication</title>
>            <reference ref_id="CCE-4370-3" source="CCE"/>
>            <description>SSH host-based authentication should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20242"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20243" version="1">
>          <metadata>
>            <title>Disable root Login via SSH</title>
>            <reference ref_id="CCE-4387-7" source="CCE"/>
>            <description>Root login via SSH should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20243"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20244" version="1">
>          <metadata>
>            <title>Disable Empty Passwords</title>
>            <reference ref_id="CCE-3660-8" source="CCE"/>
>            <description>Remote connections from accounts with empty passwords should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20244"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20245" version="1">
>          <metadata>
>            <title>Enable a Warning Banner</title>
>            <reference ref_id="CCE-4431-3" source="CCE"/>
>            <description>SSH warning banner should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20245"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202455" version="1">
>          <metadata>
>            <title>Do Not Allow Users to Set Environment Options</title>
>            <reference ref_id="CCE-4422-2" source="CCE"/>
>            <description>PermitUserEnvironment should be disabled</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Check value of PermitUserEnvironment in /etc/ssh/sshd_config" test_ref="oval:org.open-scap.f14:tst:202455"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202456" version="1">
>          <metadata>
>            <title>Use Only Approved Ciphers</title>
>            <reference ref_id="CCE-4422-2" source="CCE"/>
>            <description>Use only approved ciphers</description>
>          </metadata>
>          <criteria comment="SSH is not being used or conditions are met" operator="OR">
>            <extend_definition comment="sshd service is disabled" definition_ref="oval:org.open-scap.f14:def:20234"/>
>            <criterion comment="Check value of Ciphers in /etc/ssh/sshd_config" test_ref="oval:org.open-scap.f14:tst:202456"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20246" version="1">
>          <metadata>
>            <title>Disable X Windows at System Boot</title>
>            <reference ref_id="CCE-4462-8" source="CCE"/>
>            <description>X Windows should be disabled at system boot</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20246"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20247" version="1">
>          <metadata>
>            <title>Remove X Windows from the System if Possible</title>
>            <reference ref_id="CCE-4422-2" source="CCE"/>
>            <description>X Windows should be removed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20248" version="1">
>          <metadata>
>            <title>Disable X Window System Listening</title>
>            <reference ref_id="CCE-4074-1" source="CCE"/>
>            <description>Disable the ability to provide remote graphical display</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Check for existence of line exec X :0 -nolisten tcp $@ in file /etc/X11/xinit/xserverrc" test_ref="oval:org.open-scap.f14:tst:20248"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20249" version="1">
>          <metadata>
>            <title>Create Warning Banners for GUI Login Users</title>
>            <reference ref_id="CCE-3717-6" source="CCE"/>
>            <description>Enable warning banner for GUI login</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check the value of InfoMsgFile=/etc/issue in /etc/gdm/custom.conf" test_ref="oval:org.open-scap.f14:tst:20249"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20250" version="1">
>          <metadata>
>            <title>Disable Avahi Server Software</title>
>            <reference ref_id="CCE-4365-3" source="CCE"/>
>            <description>The avahi-daemon service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20250"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20251" version="1">
>          <metadata>
>            <title>Serve Only via Required Protocol</title>
>            <reference ref_id="CCE-4136-8" source="CCE"/>
>            <description>The Avahi daemon should be configured not to serve via Ipv6 (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or do not use ipv6" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:20251"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20252" version="1">
>          <metadata>
>            <title>Serve Only via Required Protocol</title>
>            <reference ref_id="CCE-4409-9" source="CCE"/>
>            <description>The Avahi daemon should be configured not to serve via Ipv4 (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or do not use ipv4" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:20252"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20253" version="1">
>          <metadata>
>            <title>Check Responses' TTL Field</title>
>            <reference ref_id="CCE-4426-3" source="CCE"/>
>            <description>Avahi should be configured to reject packets with a TTL field not equal to 255 (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20253"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20254" version="1">
>          <metadata>
>            <title>Prevent Other Programs from Using Avahi's Port</title>
>            <reference ref_id="CCE-4193-9" source="CCE"/>
>            <description>Avahi should be configured to not allow other stacks from binding to port 5353 (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20254"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20255" version="1">
>          <metadata>
>            <title>Disable Publishing if Possible</title>
>            <reference ref_id="CCE-4444-6" source="CCE"/>
>            <description>Avahi publishing of local information should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20255"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20256" version="1">
>          <metadata>
>            <title>Restrict Published Information</title>
>            <reference ref_id="CCE-4352-1" source="CCE"/>
>            <description>Avahi publishing of local information by user applications should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20256"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20257" version="1">
>          <metadata>
>            <title>Restrict Published Information</title>
>            <reference ref_id="CCE-4433-9" source="CCE"/>
>            <description>Avahi publishing of hardware information should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20257"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20258" version="1">
>          <metadata>
>            <title>Restrict Published Information</title>
>            <reference ref_id="CCE-4451-1" source="CCE"/>
>            <description>Avahi publishing of workstation name should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20258"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20259" version="1">
>          <metadata>
>            <title>Restrict Published Information</title>
>            <reference ref_id="CCE-4341-4" source="CCE"/>
>            <description>Avahi publishing of IP addresses should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20259"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20260" version="1">
>          <metadata>
>            <title>Restrict Published Information</title>
>            <reference ref_id="CCE-4358-8" source="CCE"/>
>            <description>Avahi publishing of domain name should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="avahi is diabled or conditions are met" operator="OR">
>            <extend_definition comment="avahi is disabled" definition_ref="oval:org.open-scap.f14:def:20250"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20260"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20261" version="1">
>          <metadata>
>            <title>Disable the CUPS Service if Possible</title>
>            <reference ref_id="CCE-4112-9" source="CCE"/>
>            <description>The cups service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20261"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20262" version="1">
>          <metadata>
>            <title>Disable Firewall Access to Printing Service over IPv4 if Possible</title>
>            <reference ref_id="CCE-3649-1" source="CCE"/>
>            <description>Firewall access to printing service should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20263" version="1">
>          <metadata>
>            <title>Disable Firewall Access to Printing Service over IPv6 if Possible</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Firewall access to printing service should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20264" version="1">
>          <metadata>
>            <title>Disable Printer Browsing Entirely if Possible</title>
>            <reference ref_id="CCE-4420-6" source="CCE"/>
>            <description>Remote print browsing should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="CUPS is disabled or conditions are met" operator="OR">
>            <extend_definition comment="CUPS is disabled" definition_ref="oval:org.open-scap.f14:def:20261"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20264"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20265" version="1">
>          <metadata>
>            <title>Disable Printer Browsing Entirely if Possible</title>
>            <reference ref_id="CCE-4407-3" source="CCE"/>
>            <description>CUPS should be allowed or denied the ability to listen for Incoming printer information as appropriate (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="CUPS is disabled or conditions are met" operator="OR">
>            <extend_definition comment="CUPS is disabled" definition_ref="oval:org.open-scap.f14:def:20261"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20265"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20266" version="1">
>          <metadata>
>            <title>Disable HPLIP Service if Possible</title>
>            <reference ref_id="CCE-4425-5" source="CCE"/>
>            <description>The hplip service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20266"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20267" version="1">
>          <metadata>
>            <title>Disable DHCP Client if Possible</title>
>            <reference ref_id="CCE-4191-3" source="CCE"/>
>            <description>The dhcp client service should be disabled for each interface.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20267"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20268" version="1">
>          <metadata>
>            <title>Disable DHCP Server if possible</title>
>            <reference ref_id="CCE-4336-4" source="CCE"/>
>            <description>The dhcpd service should be enabled or disabled as appropriate.</description>
>          </metadata>
>          <criteria comment="dhcp is not installed or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not installed" definition_ref="oval:org.open-scap.f14:def:20269"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20268"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20269" version="1">
>          <metadata>
>            <title>Disable DHCP Server if possible</title>
>            <reference ref_id="CCE-4464-4" source="CCE"/>
>            <description>The dhcp package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20269"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20270" version="1">
>          <metadata>
>            <title>Do Not Use Dynamic DNS</title>
>            <reference ref_id="CCE-4257-2" source="CCE"/>
>            <description>The dynamic DNS feature of the DHCP server should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20270"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20271" version="1">
>          <metadata>
>            <title>Deny Decline Messages</title>
>            <reference ref_id="CCE-4403-2" source="CCE"/>
>            <description>DHCPDECLINE messages should be denied by the DHCP server (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20271"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20272" version="1">
>          <metadata>
>            <title>Deny BOOTP Queries</title>
>            <reference ref_id="CCE-4345-5" source="CCE"/>
>            <description>BOOTP queries should be accepted or denied by the DHCP server as appropriate (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20272"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20273" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-3724-2" source="CCE"/>
>            <description>Domain name server information should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20274" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-4243-2" source="CCE"/>
>            <description>Default routers should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20275" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-4389-3" source="CCE"/>
>            <description>Domain name should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20276" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-3913-1" source="CCE"/>
>            <description>NIS domain should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20277" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-4169-9" source="CCE"/>
>            <description>NIS servers should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20278" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-4318-2" source="CCE"/>
>            <description>Time offset should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20279" version="1">
>          <metadata>
>            <title>Minimize Served Information</title>
>            <reference ref_id="CCE-4319-0" source="CCE"/>
>            <description>NTP servers should be sent or not sent by the DHCP server as appropriate. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20280" version="1">
>          <metadata>
>            <title>Configure DHCP Logging</title>
>            <reference ref_id="CCE-3733-3" source="CCE"/>
>            <description>dhcpd logging should be enabled. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dhcp is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="dhcp is not enabled" definition_ref="oval:org.open-scap.f14:def:20268"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20280"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20281" version="1">
>          <metadata>
>            <title>Enable the NTP Daemon</title>
>            <reference ref_id="CCE-4376-0" source="CCE"/>
>            <description>The ntpd service should be enabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20281"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20282" version="1">
>          <metadata>
>            <title>Deny All Access to ntpd by Default</title>
>            <reference ref_id="CCE-4134-3" source="CCE"/>
>            <description>Network access to ntpd should be denied (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="ntpd is enabled and conditions are met" operator="AND">
>            <extend_definition comment="ntpd is enabled" definition_ref="oval:org.open-scap.f14:def:20281"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20282"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20283" version="1">
>          <metadata>
>            <title>Specify a Remote NTP Server for Time Data</title>
>            <reference ref_id="CCE-4385-1" source="CCE"/>
>            <description>A remote NTP Server for time synchronization should be specified (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="ntpd is enabled and conditions are met" operator="AND">
>            <extend_definition comment="ntpd is enabled" definition_ref="oval:org.open-scap.f14:def:20281"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20284" version="1">
>          <metadata>
>            <title>Obtain NTP Software</title>
>            <reference ref_id="CCE-4032-9" source="CCE"/>
>            <description>OpenNTPD should be installed</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20285" version="1">
>          <metadata>
>            <title>Enable the NTP Daemon</title>
>            <reference ref_id="CCE-4424-8" source="CCE"/>
>            <description>The ntp daemon should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="OpenNTPD is installed and conditions are met" operator="AND">
>            <extend_definition comment="OpenNTPD is installed" definition_ref="oval:org.open-scap.f14:def:20284"/>
>            <extend_definition comment="ntpd is enabled" definition_ref="oval:org.open-scap.f14:def:20281" negate="true"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20285"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20286" version="1">
>          <metadata>
>            <title>Configure the Client NTP Daemon to Use the Local Server</title>
>            <reference ref_id="CCE-3487-6" source="CCE"/>
>            <description>The ntp daemon synchronization server should be set appropriately (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="OpenNTPD is installed and conditions are met" operator="AND">
>            <extend_definition comment="OpenNTPD is installed" definition_ref="oval:org.open-scap.f14:def:20284"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20287" version="1">
>          <metadata>
>            <title>Mail Transfer Agent</title>
>            <reference ref_id="CCE-4416-4" source="CCE"/>
>            <description>The sendmail service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20287"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20288" version="1">
>          <metadata>
>            <title>Disable the Listening Sendmail Daemon</title>
>            <reference ref_id="CCE-4293-7" source="CCE"/>
>            <description>The listening sendmail daemon should be disabled. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="sendmail is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="sendmail is not enabled" definition_ref="oval:org.open-scap.f14:def:20287"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20288"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:202885" version="1">
>          <metadata>
>            <title>Configure LDAP to Use TLS for All Transactions</title>
>            <reference ref_id="TBD" source="CCE"/>
>            <description>Clients require LDAP servers to provide valid certificates for SSL communications.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="look for tls_checkpeer yess in /etc/ldap.conf" test_ref="oval:org.open-scap.f14:tst:202885"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20289" version="1">
>          <metadata>
>            <title>Install OpenLDAP Server RPM</title>
>            <reference ref_id="CCE-3501-4" source="CCE"/>
>            <description>The ldap service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20289"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20290" version="1">
>          <metadata>
>            <title>Correct Permissions on LDAP Server Files</title>
>            <reference ref_id="CCE-4484-2" source="CCE"/>
>            <description>The /var/lib/ldap/* files should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20290"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20291" version="1">
>          <metadata>
>            <title>Correct Permissions on LDAP Server Files</title>
>            <reference ref_id="CCE-4502-1" source="CCE"/>
>            <description>The /var/lib/ldap/* files should be owned by the appropriate user.</description>
>          </metadata>
>          <criteria>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20291"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20292" version="1">
>          <metadata>
>            <title>Disable Services Used Only by NFS</title>
>            <reference ref_id="CCE-4396-8" source="CCE"/>
>            <description>The nfslock service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20292"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20293" version="1">
>          <metadata>
>            <title>Disable Services Used Only by NFS</title>
>            <reference ref_id="CCE-3535-2" source="CCE"/>
>            <description>The rpcgssd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20293"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20294" version="1">
>          <metadata>
>            <title>Disable Services Used Only by NFS</title>
>            <reference ref_id="CCE-3568-3" source="CCE"/>
>            <description>The rpcidmapd service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20294"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20295" version="1">
>          <metadata>
>            <title>Disable netfs if Possible</title>
>            <reference ref_id="CCE-4533-6" source="CCE"/>
>            <description>The netfs service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20295"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20296" version="1">
>          <metadata>
>            <title>Disable RPC Portmapper if Possible</title>
>            <reference ref_id="CCE-4550-0" source="CCE"/>
>            <description>The portmap service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20296"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20297" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-4559-1" source="CCE"/>
>            <description>The lockd service should be configured to use a static port for TCP</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20297"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20298" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-4015-4" source="CCE"/>
>            <description>The statd service should be configured to use an outgoing static port</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20298"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20299" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-3667-3" source="CCE"/>
>            <description>The statd service should be configured to use a static port</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20299"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20300" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-4310-9" source="CCE"/>
>            <description>The lockd service should be configured to use a static port for UDP</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20300"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20301" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-4438-8" source="CCE"/>
>            <description>The mountd service should be configured to use a static port</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20301"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20302" version="1">
>          <metadata>
>            <title>Configure NFS Services to Use Fixed Ports</title>
>            <reference ref_id="CCE-3579-0" source="CCE"/>
>            <description>The rquotad service should be configured to use a static port</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20302"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20303" version="1">
>          <metadata>
>            <title>Disable NFS Server Daemons</title>
>            <reference ref_id="CCE-4473-5" source="CCE"/>
>            <description>The nfs service should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20303"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20304" version="1">
>          <metadata>
>            <title>Disable NFS Server Daemons</title>
>            <reference ref_id="CCE-4491-7" source="CCE"/>
>            <description>The rpcsvcgssd service should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20304"/>
>          </criteria>
>        </definition>
>        
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20306" version="1">
>          <metadata>
>            <title>Mount Remote Filesystems with nosuid</title>
>            <reference ref_id="CCE-4024-6" source="CCE"/>
>            <description>The nosuid option should be enabled for all NFS mounts</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20307" version="1">
>          <metadata>
>            <title>Mount Remote Filesystems with noexec</title>
>            <reference ref_id="CCE-4526-0" source="CCE"/>
>            <description>The noexec option should be enabled for all NFS mounts</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20308" version="1">
>          <metadata>
>            <title>Use Root-Squashing on All Exports</title>
>            <reference ref_id="CCE-4544-3" source="CCE"/>
>            <description>Root squashing should be enabled for all NFS shares</description>
>          </metadata>
>          <criteria comment="nfs is not running or conditions are met" operator="OR">
>            <extend_definition comment="nfs is not running" definition_ref="oval:org.open-scap.f14:def:20312"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20308"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20309" version="1">
>          <metadata>
>            <title>Restrict NFS Clients to Privileged Ports</title>
>            <reference ref_id="CCE-4465-1" source="CCE"/>
>            <description>Restriction of NFS clients to privileged ports should be enabled</description>
>          </metadata>
>          <criteria comment="nfs is not running or conditions are met" operator="OR">
>            <extend_definition comment="nfs is not running" definition_ref="oval:org.open-scap.f14:def:20312"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20309"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20310" version="1">
>          <metadata>
>            <title>Export Filesystems Read-Only if Possible</title>
>            <reference ref_id="CCE-4350-5" source="CCE"/>
>            <description>Write access to NFS shares should be disabled</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20310"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20311" version="1">
>          <metadata>
>            <title>Disable DNS Server if Possible</title>
>            <reference ref_id="CCE-3578-2" source="CCE"/>
>            <description>The named service should be disabled.</description>
>          </metadata>
>          <criteria comment="bind is not installed or conditions are met" operator="OR">
>            <extend_definition comment="bind is not installed" definition_ref="oval:org.open-scap.f14:def:20312"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20311"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20312" version="1">
>          <metadata>
>            <title>Disable DNS Server if Possible</title>
>            <reference ref_id="CCE-4219-2" source="CCE"/>
>            <description>The bind package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20312"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20313" version="1">
>          <metadata>
>            <title>Run DNS Software in a chroot Jail</title>
>            <reference ref_id="CCE-3985-9" source="CCE"/>
>            <description>The /var/named/chroot/etc/named.conf file should be owned by the appropriate group. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="DNS is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="DNS is not enabled" definition_ref="oval:org.open-scap.f14:def:20311"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20313"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20314" version="1">
>          <metadata>
>            <title>Run DNS Software in a chroot Jail</title>
>            <reference ref_id="CCE-4258-0" source="CCE"/>
>            <description>The /var/named/chroot/etc/named.conf file should be owned by the appropriate user. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="DNS is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="DNS is not enabled" definition_ref="oval:org.open-scap.f14:def:20311"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20314"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20315" version="1">
>          <metadata>
>            <title>Run DNS Software in a chroot Jail</title>
>            <reference ref_id="CCE-4487-5" source="CCE"/>
>            <description>File permissions for /var/named/chroot/etc/named.conf should be set correctly. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="DNS is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="DNS is not enabled" definition_ref="oval:org.open-scap.f14:def:20311"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20315"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20316" version="1">
>          <metadata>
>            <title>Disable Dynamic Updates if Possible</title>
>            <reference ref_id="CCE-4399-2" source="CCE"/>
>            <description>LDAP's dynamic updates feature should be disabled as appropriate (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="DNS is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="DNS is not enabled" definition_ref="oval:org.open-scap.f14:def:20311"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20317" version="1">
>          <metadata>
>            <title>Disable vsftpd if Possible</title>
>            <reference ref_id="CCE-3919-8" source="CCE"/>
>            <description>The vsftpd service should be disabled.</description>
>          </metadata>
>          <criteria comment="vsftpd is not installed or conditions are met" operator="OR">
>            <extend_definition comment="vsftpd is not installed" definition_ref="oval:org.open-scap.f14:def:203175"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20317"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:203175" version="1">
>          <metadata>
>            <title>Uninstall vsftpd if Possible</title>
>            <reference ref_id="CCE-3919-8" source="CCE"/>
>            <description>The vsftpd service should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:203175"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20318" version="1">
>          <metadata>
>            <title>Enable Logging of All FTP Transactions</title>
>            <reference ref_id="CCE-4549-2" source="CCE"/>
>            <description>Logging of vsftpd transactions should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="vsftpd is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="vsftpd is not enabled" definition_ref="oval:org.open-scap.f14:def:20317"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20319" version="1">
>          <metadata>
>            <title>Create Warning Banners for All FTP Users</title>
>            <reference ref_id="CCE-4554-2" source="CCE"/>
>            <description>A warning banner for all FTP users should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="vsftpd is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="vsftpd is not enabled" definition_ref="oval:org.open-scap.f14:def:20317"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20319"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20320" version="1">
>          <metadata>
>            <title>Restrict Access to Anonymous Users if Possible</title>
>            <reference ref_id="CCE-4443-8" source="CCE"/>
>            <description>Local user login to the vsftpd service should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="vsftpd is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="vsftpd is not enabled" definition_ref="oval:org.open-scap.f14:def:20317"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20321" version="1">
>          <metadata>
>            <title>Disable FTP Uploads if Possible</title>
>            <reference ref_id="CCE-4461-0" source="CCE"/>
>            <description>File uploads via vsftpd should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="vsftpd is not enabled or conditions are met" operator="OR">
>            <extend_definition comment="vsftpd is not enabled" definition_ref="oval:org.open-scap.f14:def:20317"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20322" version="1">
>          <metadata>
>            <title>Disable Apache if Possible</title>
>            <reference ref_id="CCE-4338-0" source="CCE"/>
>            <description>The httpd service should be disabled.</description>
>          </metadata>
>          <criteria comment="httpd is not installed or conditions are met" operator="OR">
>            <extend_definition comment="httpd is not installed" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20322"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20323" version="1">
>          <metadata>
>            <title>Uninstall Apache if Possible</title>
>            <reference ref_id="CCE-4514-6" source="CCE"/>
>            <description>The httpd package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20323"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20324" version="1">
>          <metadata>
>            <title>Restrict Information Leakage</title>
>            <reference ref_id="CCE-4474-3" source="CCE"/>
>            <description>The apache2 server's ServerTokens value should be set appropriately (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20324"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20325" version="1">
>          <metadata>
>            <title>Restrict Information Leakage</title>
>            <reference ref_id="CCE-3756-4" source="CCE"/>
>            <description>The apache2 server's ServerSignature value should be set appropriately (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20325"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20326" version="1">
>          <metadata>
>            <title>Restrict File and Directory Access</title>
>            <reference ref_id="CCE-4509-6" source="CCE"/>
>            <description>File permissions for /etc/httpd/conf should be set correctly. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20326"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20327" version="1">
>          <metadata>
>            <title>Restrict File and Directory Access</title>
>            <reference ref_id="CCE-4386-9" source="CCE"/>
>            <description>File permissions for /etc/httpd/conf/* should be set correctly. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20327"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20328" version="1">
>          <metadata>
>            <title>Restrict File and Directory Access</title>
>            <reference ref_id="CCE-4029-5" source="CCE"/>
>            <description>File permissions for /usr/sbin/httpd should be set correctly. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20328"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20329" version="1">
>          <metadata>
>            <title>Restrict File and Directory Access</title>
>            <reference ref_id="CCE-3581-6" source="CCE"/>
>            <description>The /etc/httpd/conf/* files should be owned by the appropriate group.</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20329"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20330" version="1">
>          <metadata>
>            <title>Restrict File and Directory Access</title>
>            <reference ref_id="CCE-4574-0" source="CCE"/>
>            <description>File permissions for /var/log/httpd should be set correctly. (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="httpd is disabled or conditions are met" operator="OR">
>            <extend_definition comment="httpd is disabled" definition_ref="oval:org.open-scap.f14:def:20323"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20330"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20331" version="1">
>          <metadata>
>            <title>Disable Dovecot if Possible</title>
>            <reference ref_id="CCE-3847-1" source="CCE"/>
>            <description>The dovecot service should be disabled.</description>
>          </metadata>
>          <criteria comment="dovecot is not installed or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is not installed" definition_ref="oval:org.open-scap.f14:def:20332"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20331"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20332" version="1">
>          <metadata>
>            <title>Disable Dovecot if Possible</title>
>            <reference ref_id="CCE-4239-0" source="CCE"/>
>            <description>The dovecot package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20332"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20333" version="1">
>          <metadata>
>            <title>Support Only the Necessary Protocols</title>
>            <reference ref_id="CCE-4384-4" source="CCE"/>
>            <description>Dovecot should be configured to not support the imaps protocol (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20333"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20334" version="1">
>          <metadata>
>            <title>Support Only the Necessary Protocols</title>
>            <reference ref_id="CCE-3887-7" source="CCE"/>
>            <description>Dovecot should be configured to not support the pop3s protocol (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20334"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20335" version="1">
>          <metadata>
>            <title>Support Only the Necessary Protocols</title>
>            <reference ref_id="CCE-4530-2" source="CCE"/>
>            <description>Dovecot should be configured to not support the pop3 (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20335"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20336" version="1">
>          <metadata>
>            <title>Support Only the Necessary Protocols</title>
>            <reference ref_id="CCE-4547-6" source="CCE"/>
>            <description>Dovecot should be configured to not support the imap protocol (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20336"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20337" version="1">
>          <metadata>
>            <title>Disable Plaintext Authentication</title>
>            <reference ref_id="CCE-4552-6" source="CCE"/>
>            <description>Dovecot plaintext authentication of clients should be disabled as necessary (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20337"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20338" version="1">
>          <metadata>
>            <title>Enable Dovecot Options to Protect Against Code Flaws</title>
>            <reference ref_id="CCE-4371-1" source="CCE"/>
>            <description>The Dovecot option to drop privileges to user before executing mail process should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20338"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20339" version="1">
>          <metadata>
>            <title>Enable Dovecot Options to Protect Against Code Flaws</title>
>            <reference ref_id="CCE-4410-7" source="CCE"/>
>            <description>The Dovecot option to spawn a new login process per connection should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="dovecot is disabled or conditions are met" operator="OR">
>            <extend_definition comment="dovecot is disabled" definition_ref="oval:org.open-scap.f14:def:20331"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20339"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20340" version="1">
>          <metadata>
>            <title>Disable Samba if Possible</title>
>            <reference ref_id="CCE-4551-8" source="CCE"/>
>            <description>The smb service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20340"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:203403" version="1">
>          <metadata>
>            <title>Disable Guest Access and Local Login Support</title>
>            <reference ref_id="CCE-4551-8" source="CCE"/>
>            <description>Do not allow guest users to access local file or printer shares.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:203403"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:2034010" version="1">
>          <metadata>
>            <title>Require Client SMB Packet Signing, if using smbclient</title>
>            <reference ref_id="CCE-4551-8" source="CCE"/>
>            <description>Require samba clients running smbclient to use packet signing.  A Samba client should only communicate with servers who can support SMB packet signing.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for client signing = mandatory in /etc/samba/smb.conf" test_ref="oval:org.open-scap.f14:tst:2034010"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:2034011" version="1">
>          <metadata>
>            <title>Disable Samba if Possible</title>
>            <reference ref_id="CCE-4551-8" source="CCE"/>
>            <description>The smb service should be disabled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="check for sec=krb5i or sec=ntlmv2i in /etc/fstab" test_ref="oval:org.open-scap.f14:tst:20340111"/>
>            <criterion comment="check for sec=krb5i or sec=ntlmv2i in /etc/mtab" test_ref="oval:org.open-scap.f14:tst:20340112"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20341" version="1">
>          <metadata>
>            <title>Disable Squid if Possible</title>
>            <reference ref_id="CCE-4556-7" source="CCE"/>
>            <description>The squid service should be disabled.</description>
>          </metadata>
>          <criteria comment="squid is not installed or conditions are met" operator="OR">
>            <extend_definition comment="squid is not installed" definition_ref="oval:org.open-scap.f14:def:20342"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20341"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20342" version="1">
>          <metadata>
>            <title>Disable Squid if Possible</title>
>            <reference ref_id="CCE-4076-6" source="CCE"/>
>            <description>The squid package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20342"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20343" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4454-5" source="CCE"/>
>            <description>The Squid option to force FTP passive connections should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20343"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20344" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4459-4" source="CCE"/>
>            <description>The Squid option to perform FTP sanity checks should be enabled or not as appropriate (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20344"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20345" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4503-9" source="CCE"/>
>            <description>The Squid option to check for RFC compliant hostnames should be enabled or not as appropriate (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20345"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20346" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4353-9" source="CCE"/>
>            <description>The Squid max request HTTP header length should be set to an appropriate value (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20346"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20347" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4419-8" source="CCE"/>
>            <description>The Squid max reply HTTP header length should be set to an appropriate value (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20347"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20348" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-3692-1" source="CCE"/>
>            <description>The Squid EUID should be set to an appropriate user (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20348"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20349" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-4476-8" source="CCE"/>
>            <description>The Squid GUID should be set to an appropriate group (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20349"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20350" version="1">
>          <metadata>
>            <title>Verify Default Secure Settings</title>
>            <reference ref_id="CCE-3585-7" source="CCE"/>
>            <description>The Squid option to ignore unknown nameservers should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20350"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20351" version="1">
>          <metadata>
>            <title>Change Default Insecure Settings</title>
>            <reference ref_id="CCE-4344-8" source="CCE"/>
>            <description>The Squid option to allow underscores in hostnames should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20351"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20352" version="1">
>          <metadata>
>            <title>Change Default Insecure Settings</title>
>            <reference ref_id="CCE-4494-1" source="CCE"/>
>            <description>The Squid option to suppress the httpd version string should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20352"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20353" version="1">
>          <metadata>
>            <title>Change Default Insecure Settings</title>
>            <reference ref_id="CCE-4181-4" source="CCE"/>
>            <description>The Squid option to show proxy client IP addresses in HTTP headers should be disabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20353"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20354" version="1">
>          <metadata>
>            <title>Change Default Insecure Settings</title>
>            <reference ref_id="CCE-4577-3" source="CCE"/>
>            <description>The Squid option to log HTTP MIME headers should be enabled (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion test_ref="oval:org.open-scap.f14:tst:20354"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20355" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4511-2" source="CCE"/>
>            <description>Squid should be configured to not allow gss-http traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20356" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4529-4" source="CCE"/>
>            <description>Squid should be configured to not allow https traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20357" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-3610-3" source="CCE"/>
>            <description>Squid should be configured to not allow wais traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20358" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4466-9" source="CCE"/>
>            <description>Squid should be configured to not allow multiling http traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20359" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4607-8" source="CCE"/>
>            <description>Squid should be configured to not allow http traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20360" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4255-6" source="CCE"/>
>            <description>Squid should be configured to not allow ftp traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20361" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4127-7" source="CCE"/>
>            <description>Squid should be configured to not allow gopher traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20362" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4519-5" source="CCE"/>
>            <description>Squid should be configured to not allow filemaker traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20363" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4413-1" source="CCE"/>
>            <description>Squid proxy access to localhost should be denied (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20364" version="1">
>          <metadata>
>            <title>Access Control Lists (ACL)</title>
>            <reference ref_id="CCE-4373-7" source="CCE"/>
>            <description>Squid should be configured to not allow http-mgmt traffic (and dependencies are met)</description>
>          </metadata>
>          <criteria comment="Squid is disabled or conditions are met" operator="OR">
>            <extend_definition comment="Squid is disabled" definition_ref="oval:org.open-scap.f14:def:20341"/>
>            <criterion comment="Unknown test stub" test_ref="oval:org.open-scap.f14:tst:22"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20365" version="1">
>          <metadata>
>            <title>Disable SNMP Server if Possible</title>
>            <reference ref_id="CCE-3765-5" source="CCE"/>
>            <description>The snmpd service should be disabled.</description>
>          </metadata>
>          <criteria comment="net-snmp is not installed or conditions are met" operator="OR">
>            <extend_definition comment="net-snmp is not installed" definition_ref="oval:org.open-scap.f14:def:20366"/>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20365"/>
>          </criteria>
>        </definition>
>        <definition class="compliance" id="oval:org.open-scap.f14:def:20366" version="1">
>          <metadata>
>            <title>Disable SNMP Server if Possible</title>
>            <reference ref_id="CCE-4404-0" source="CCE"/>
>            <description>The net-snmp package should be uninstalled.</description>
>          </metadata>
>          <criteria>
>            <criterion comment="Conditions are satisfied" test_ref="oval:org.open-scap.f14:tst:20366"/>
>          </criteria>
>        </definition>
>      </definitions>
>      <tests>
>        <ind-def:textfilecontent54_test check="only one" check_existence="at_least_one_exists" comment="look for /tmp partition or logical volume in /etc/fstab" id="oval:org.open-scap.f14:tst:20000" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20000"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20000"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="only one" check_existence="at_least_one_exists" comment="look for /var partition or logical volume in /etc/fstab" id="oval:org.open-scap.f14:tst:20002" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20000"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20002"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="only one" check_existence="at_least_one_exists" comment="look for /var/log partition or logical volume in /etc/fstab" id="oval:org.open-scap.f14:tst:20004" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20000"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20004"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="only one" check_existence="at_least_one_exists" comment="look for /var/log/audit partition or logical volume in /etc/fstab" id="oval:org.open-scap.f14:tst:20005" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20000"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20005"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="only one" check_existence="at_least_one_exists" comment="look for /home partition or logical volume in /etc/fstab" id="oval:org.open-scap.f14:tst:20006" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20000"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20006"/>
>        </ind-def:textfilecontent54_test>
>        <lin-def:rpminfo_test check="at least one" check_existence="any_exist" comment="proper gpg-pubkey version is installed" id="oval:org.open-scap.f14:tst:200065" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:200065"/>
>          <lin-def:state state_ref="oval:org.open-scap.f14:ste:200065"/>
>        </lin-def:rpminfo_test>
>        <unix-def:file_test check="all" check_existence="at_least_one_exists" comment="Existence check for path ^/etc/cron\.(hourly|daily|weekly|monthly)$ for filename yum.cron" id="oval:org.open-scap.f14:tst:20009" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20009"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check value of gpgcheck in /etc/yum.conf" id="oval:org.open-scap.f14:tst:20010" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20010"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20010"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="check value of gpgcheck=0 in /etc/yum.repos.d/" id="oval:org.open-scap.f14:tst:20011" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20011"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20011"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check value of gpgcheck in /etc/yum.conf" id="oval:org.open-scap.f14:tst:20012" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20012"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20012"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check value of repo_gpgcheck=0 in /etc/yum.repos.d/" id="oval:org.open-scap.f14:tst:20013" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20013"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20013"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check options for nodev in /etc/fstab for all non-root partitions" id="oval:org.open-scap.f14:tst:20016" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20016"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200161"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check options for nodev in /etc/mtab for all non-root partitions" id="oval:org.open-scap.f14:tst:200162" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200162"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200161"/>
>        </ind-def:textfilecontent54_test>
>        <lin-def:rpminfo_test check="at least one" check_existence="at_least_one_exists" comment="redhat-release is version 5" id="oval:org.open-scap.f14:tst:10000" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:10000"/>
>          <lin-def:state state_ref="oval:org.open-scap.f14:ste:10000"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="at least one" check_existence="at_least_one_exists" comment="redhat-release is version 5.2" id="oval:org.open-scap.f14:tst:11000" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:10000"/>
>          <lin-def:state state_ref="oval:org.open-scap.f14:ste:11000"/>
>        </lin-def:rpminfo_test>
>        <ind-def:family_test check="only one" check_existence="at_least_one_exists" comment="installed operating system is part of the Unix family" id="oval:org.open-scap.f14:tst:10001" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:10001"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:10001"/>
>        </ind-def:family_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20008" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20008"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="all_exist" comment="The aide package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20014" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20014"/>
>        </lin-def:rpminfo_test>
>        <ind-def:unknown_test check="all" comment="Test implementation is unknown, unavailable, or impossible" id="oval:org.open-scap.f14:tst:22" version="1"/>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /etc/security/console.perms.d/50-default.perms for lines starting with &lt;console&gt; or &lt;xconsole&gt;" id="oval:org.open-scap.f14:tst:20020" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20020"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for usb_storage" id="oval:org.open-scap.f14:tst:20021" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20021"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="Actual file existence test" id="oval:org.open-scap.f14:tst:20022" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20022"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the &lt;:begin:&gt;kernel&lt;:nocomment:&gt;nousb setting in the /etc/grub.conf file" id="oval:org.open-scap.f14:tst:20023" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20023"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20025" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20025"/>
>        </unix-def:runlevel_test>
>        <ind-def:xmlfilecontent_test check="all" check_existence="all_exist" comment="The XPath expression /desktop/gnome/volume_manager/automount_(media)|(drives) for /etc/gconf/gconf.xml.mandatory should evaluate to the passed value" id="oval:org.open-scap.f14:tst:20026" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20026"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20026"/>
>        </ind-def:xmlfilecontent_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for cramfs" id="oval:org.open-scap.f14:tst:20027" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20027"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for freevxfs" id="oval:org.open-scap.f14:tst:20028" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20028"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for jffs2" id="oval:org.open-scap.f14:tst:20029" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20029"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for hfs" id="oval:org.open-scap.f14:tst:20030" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20030"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for hfsplus" id="oval:org.open-scap.f14:tst:20031" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20031"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for squashfs" id="oval:org.open-scap.f14:tst:20032" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20032"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" comment="Check /etc/modprobe.d/blacklist.conf for udf" id="oval:org.open-scap.f14:tst:20033" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20027"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20033"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership of /etc/shadow" id="oval:org.open-scap.f14:tst:20034" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20034"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20034"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership /etc/shadow" id="oval:org.open-scap.f14:tst:20035" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20034"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20035"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20036" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20036"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20036"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20037" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20036"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20037"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing gshadow ownership" id="oval:org.open-scap.f14:tst:20038" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20038"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20038"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing gshadow ownership" id="oval:org.open-scap.f14:tst:20039" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20038"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20039"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20040" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20040"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20040"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership of /etc/passwd" id="oval:org.open-scap.f14:tst:20041" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20040"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20041"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions of /etc/shadow" id="oval:org.open-scap.f14:tst:20042" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20034"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20042"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing /etc/group permissions" id="oval:org.open-scap.f14:tst:20043" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20036"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20043"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing gshadow permissions" id="oval:org.open-scap.f14:tst:20044" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20038"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20044"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing /etc/passwd permissions" id="oval:org.open-scap.f14:tst:20045" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20040"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20045"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="sticky bit on all world writable directories" id="oval:org.open-scap.f14:tst:20046" version="1">
>          <notes>
>            <note>This will enumerate all world writable directories on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:200461"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20046"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" comment="world writable files" id="oval:org.open-scap.f14:tst:20047" version="1">
>          <notes>
>            <note>This will enumerate all world writable files on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:200471"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="executable files with sgid set" id="oval:org.open-scap.f14:tst:20048" version="1">
>          <notes>
>            <note>This will enumerate all files on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20048"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="executable files with suid set" id="oval:org.open-scap.f14:tst:20049" version="1">
>          <notes>
>            <note>This will enumerate all files on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20049"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="files with no user owner" id="oval:org.open-scap.f14:tst:20050" version="1">
>          <notes>
>            <note>This will enumerate all files on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20050"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="files with no group owner" id="oval:org.open-scap.f14:tst:20051" version="1">
>          <notes>
>            <note>This will enumerate all files on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20051"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="world writable directories have a uid greater than or equal to 500" id="oval:org.open-scap.f14:tst:20052" version="1">
>          <notes>
>            <note>This will enumerate all directories on local partitions</note>
>          </notes>
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20052"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the umask[\s]+(.*) expression in the /etc/rc.d/init.d/functions file" id="oval:org.open-scap.f14:tst:20053" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20053"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20053"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="Tests the value of the ^[\s]*\*[\s]+hard[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" id="oval:org.open-scap.f14:tst:20055" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20055"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20055"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/fs/suid_dumpable" id="oval:org.open-scap.f14:tst:20056" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20056"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20056"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the /proc/sys/kernel/exec-shield" id="oval:org.open-scap.f14:tst:20057" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20057"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20057"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the /proc/sys/kernel/randomize_va_space" id="oval:org.open-scap.f14:tst:20058" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20058"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20058"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:unknown_test check="all" comment="BIOS test cannot be automated" id="oval:org.open-scap.f14:tst:20060" version="1"/>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the &lt;:begin:&gt;tty[0-9]+&lt;:end:&gt; setting in the /etc//securetty file" id="oval:org.open-scap.f14:tst:20061" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20061"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the &lt;:begin:&gt;Vc\/[0-9]+&lt;:end:&gt; setting in the /etc/securetty file" id="oval:org.open-scap.f14:tst:20062" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20062"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the &lt;:begin:&gt;console&lt;:end:&gt; setting in the /etc/securetty file" id="oval:org.open-scap.f14:tst:20063" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20063"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the &lt;:begin:&gt;ttyS[0-9]+&lt;:end:&gt; setting in the /etc/securetty file" id="oval:org.open-scap.f14:tst:20064" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20064"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the &lt;:begin:&gt;wheel setting in the /etc/group file" id="oval:org.open-scap.f14:tst:20065" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20065"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the &lt;:begin:&gt;auth[\s]+required[\s]+pam_wheel.so[\s]+use_uid&lt;:end:&gt; setting in the /etc/pam.d/su file" id="oval:org.open-scap.f14:tst:20066" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20066"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the %wheel[\s]+ALL=$ALL$[\s]+ALL setting in the /etc/sudoers file" id="oval:org.open-scap.f14:tst:20067" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20067"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:password_test check="at least one" comment="Tests the login shell for non root system accounts" id="oval:org.open-scap.f14:tst:20068" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20068"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20068"/>
>        </unix-def:password_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the ^[^:]*:: setting in the /etc/shadow file" id="oval:org.open-scap.f14:tst:20069" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20069"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:password_test check="all" comment="Check that passwords are shadowed" id="oval:org.open-scap.f14:tst:200695" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:200695"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:200695"/>
>        </unix-def:password_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if there is only root account with UID 0" id="oval:org.open-scap.f14:tst:20070" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20070"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20070"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PASS_MIN_LEN[\s]*=[\s]*(.*) expression in the /etc/login.defs file" id="oval:org.open-scap.f14:tst:20071" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20071"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20071"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PASS_MIN_DAYS[\s]*=[\s]*(.*) expression in the /etc/login.defs file" id="oval:org.open-scap.f14:tst:20072" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20072"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20072"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PASS_MAX_DAYS[\s]*=[\s]*(.*) expression in the /etc/login.defs file" id="oval:org.open-scap.f14:tst:20073" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20073"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20073"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PASS_WARN_AGE[\s]*=[\s]*(.*) expression in the /etc/login.defs file" id="oval:org.open-scap.f14:tst:20074" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20074"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20074"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the ^+: setting in the /etc/shadow file" id="oval:org.open-scap.f14:tst:20075" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20075"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the ^+: setting in the /etc/group file" id="oval:org.open-scap.f14:tst:20076" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20076"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the ^+: setting in the /etc/passwd file" id="oval:org.open-scap.f14:tst:20077" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20077"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200781" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200781"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200781"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200782" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200782"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200782"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200783" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200783"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200783"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200784" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200784"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200784"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200785" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200785"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200785"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200786" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200786"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200786"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200787" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200787"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200787"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:unknown_test check="all" comment="pam_passwdqc is not implemented" id="oval:org.open-scap.f14:tst:20079" version="1"/>
>        <ind-def:variable_test check="all" comment="check value of unlock_time" id="oval:org.open-scap.f14:tst:200800" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200800"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200800"/>
>        </ind-def:variable_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check system-auth pam_tally2 excluding unlock_time" id="oval:org.open-scap.f14:tst:2008011" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2008011"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:2008011"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check system-auth pam_tally2 excluding unlock_time" id="oval:org.open-scap.f14:tst:2008012" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2008012"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:2008012"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check system-auth pam_tally2 including unlock_time" id="oval:org.open-scap.f14:tst:2008013" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2008013"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:2008013"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="only_one_exists" comment="check system-auth pam_tally2 account is configured correctly" id="oval:org.open-scap.f14:tst:200803" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200803"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:unknown_test check="all" comment="Check for required in pam_unix auth" id="oval:org.open-scap.f14:tst:200805" version="1"/>
>        <ind-def:unknown_test check="all" comment="check that pam_succeed_if is not there with quiet option" id="oval:org.open-scap.f14:tst:2008061" version="1"/>
>        <ind-def:unknown_test check="all" comment="check that pam_deny is not there" id="oval:org.open-scap.f14:tst:2008062" version="1"/>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20081" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20081"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20081"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Group existance" id="oval:org.open-scap.f14:tst:200811" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200811"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20082" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20081"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20082"/>
>        </unix-def:file_test>
>        <ind-def:variable_test check="all" comment="check value of hashing algorithm is md5" id="oval:org.open-scap.f14:tst:200831" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200831"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200831"/>
>        </ind-def:variable_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="check the /etc/login.defs file for MD5_CRYPT_ENAB setting" id="oval:org.open-scap.f14:tst:200832" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200832"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200832"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="check the /etc/login.defs file for ENCRYPT_METHOD setting" id="oval:org.open-scap.f14:tst:200833" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200833"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200833"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="at least one" check_existence="all_exist" comment="check the /etc/pam.d/system-auth file for the hash algorithm setting" id="oval:org.open-scap.f14:tst:200834" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200834"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200833"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="check the /etc/libuser.conf file for the crypt_style setting" id="oval:org.open-scap.f14:tst:200835" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200835"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200833"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:variable_test check="all" comment="check remember parameter is set to 0" id="oval:org.open-scap.f14:tst:200841" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200841"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200841"/>
>        </ind-def:variable_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="check that remember is set appropriately in /etc/pam.d/system-auth" id="oval:org.open-scap.f14:tst:200842" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:200842"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200842"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:environmentvariable_test check="all" comment="PATH starts with : or ." id="oval:org.open-scap.f14:tst:200851" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20085"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200851"/>
>        </ind-def:environmentvariable_test>
>        <ind-def:environmentvariable_test check="all" check_existence="at_least_one_exists" comment="PATH ends with : or ." id="oval:org.open-scap.f14:tst:200852" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20085"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200852"/>
>        </ind-def:environmentvariable_test>
>        <ind-def:environmentvariable_test check="all" comment="PATH contains :: or :.:" id="oval:org.open-scap.f14:tst:200853" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20085"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:200853"/>
>        </ind-def:environmentvariable_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="Check that write permission to group and other in root's path is denied" id="oval:org.open-scap.f14:tst:200855" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:2008551"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="none satisfy" comment="home directories are group writeable" id="oval:org.open-scap.f14:tst:200861" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20086"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:200861"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="none satisfy" comment="home directories are world readable" id="oval:org.open-scap.f14:tst:200862" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20086"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:200862"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/bashrc file" id="oval:org.open-scap.f14:tst:20087" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20087"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20087"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/csh.cshrc file" id="oval:org.open-scap.f14:tst:20088" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20088"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20087"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20092" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20092"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20092"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20093" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20093"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20093"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20094" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20094"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20094"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the password[\s]+--md5[\s]+.* setting in the /etc/grub.conf file" id="oval:org.open-scap.f14:tst:20095" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20095"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ~~:S:wait:/sbin/sulogin setting in the /etc/inittab file" id="oval:org.open-scap.f14:tst:20096" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:73"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PROMPT[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/init file" id="oval:org.open-scap.f14:tst:20097" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20096"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20097"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*set[\s]+-r[\s]+autologout[\s]+([^#]*) expression in the /etc/profile.d/autologout.csh file" id="oval:org.open-scap.f14:tst:20098" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20098"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20098"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:unknown_test check="all" comment="Test implementation is unknown, unavailable, or impossible" id="oval:org.open-scap.f14:tst:20099" version="1"/>
>        <ind-def:xmlfilecontent_test check="all" comment="/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_delay']/local_schema[1]/default[1]/@value" id="oval:org.open-scap.f14:tst:20100" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20100"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20100"/>
>        </ind-def:xmlfilecontent_test>
>        <ind-def:xmlfilecontent_test check="all" comment="/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_activation_enabled']/local_schema[1]/default[1]/@value" id="oval:org.open-scap.f14:tst:201005" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201005"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201005"/>
>        </ind-def:xmlfilecontent_test>
>        <ind-def:xmlfilecontent_test check="all" comment="/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='lock_enabled']/local_schema[1]/default[1]/@value" id="oval:org.open-scap.f14:tst:201006" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201006"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201006"/>
>        </ind-def:xmlfilecontent_test>
>        <ind-def:xmlfilecontent_test check="all" comment="/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='mode']/local_schema[1]/default[1]/stringvalue[1]" id="oval:org.open-scap.f14:tst:201007" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201007"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201007"/>
>        </ind-def:xmlfilecontent_test>
>        <lin-def:rpminfo_test check="all" check_existence="all_exist" comment="The vlock package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20101" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20101"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the (.*) setting in the /etc/issue file" id="oval:org.open-scap.f14:tst:20102" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20102"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20102"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:xmlfilecontent_test check="all" comment="/greeter/item[@id='banner']/box[1]/item[@id='DOD_Banner']/text[1]" id="oval:org.open-scap.f14:tst:20103" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20103"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20103"/>
>        </ind-def:xmlfilecontent_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the [\s]selinux=([^\s]*) expression in the /etc/grub.conf file" id="oval:org.open-scap.f14:tst:20104" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20104"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20104"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the [\s]enforcing=([^\s]*) expression in the /etc/grub.conf file" id="oval:org.open-scap.f14:tst:20105" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20105"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20105"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*selinux[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" id="oval:org.open-scap.f14:tst:20106" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20106"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20106"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" id="oval:org.open-scap.f14:tst:20107" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20107"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20107"/>
>        </ind-def:textfilecontent54_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The setroubleshoot package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20108" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20108"/>
>        </lin-def:rpminfo_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20109" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20109"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20110" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20110"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20111"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20111" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20111"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20111"/>
>        </unix-def:runlevel_test>
>        
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/default/send_redirects file" id="oval:org.open-scap.f14:tst:201120" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201120"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201121" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.default\.send_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201122" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201121"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/send_redirects file" id="oval:org.open-scap.f14:tst:201130" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201130"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201131" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201131"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.send_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201132" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201131"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/ip_forward file" id="oval:org.open-scap.f14:tst:201140" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201140"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.ip_forward[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201141" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201141"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.ip_forward[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201142" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201141"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/accept_source_route file" id="oval:org.open-scap.f14:tst:201150" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201150"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.accept_source_route[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201151" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201151"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.accept_source_route[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201152" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201151"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/accept_redirects file" id="oval:org.open-scap.f14:tst:201160" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201160"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.accept_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201161" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201161"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.accept_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201162" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201161"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/secure_redirects file" id="oval:org.open-scap.f14:tst:201170" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201170"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.secure_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201171" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201171"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.secure_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201172" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201171"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/log_martians file" id="oval:org.open-scap.f14:tst:201180" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201180"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.log_martians[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201181" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201181"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.log_martians[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201182" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201181"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/default/accept_source_route file" id="oval:org.open-scap.f14:tst:201190" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201190"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.default\.accept_source_route[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201191" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201191"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.default\.accept_source_route[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201192" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201191"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/default/accept_redirects file" id="oval:org.open-scap.f14:tst:201200" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201200"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.default\.accept_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201201" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201201"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.default\.accept_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201202" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201201"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/default/secure_redirects file" id="oval:org.open-scap.f14:tst:201210" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201210"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.default\.secure_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201211" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201211"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.default\.secure_redirects[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201212" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201211"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts file" id="oval:org.open-scap.f14:tst:201220" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201220"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201221" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201221"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.icmp_echo_ignore_broadcasts[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201222" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201221"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses file" id="oval:org.open-scap.f14:tst:201230" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201230"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.icmp_ignore_bogus_error_responses[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201231" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201231"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.icmp_ignore_bogus_error_responses[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201232" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201231"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/tcp_syncookies file" id="oval:org.open-scap.f14:tst:201240" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201240"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.tcp_syncookies[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201241" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201241"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.tcp_syncookies[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201242" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201241"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/all/rp_filter file" id="oval:org.open-scap.f14:tst:201250" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201250"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.all\.rp_filter[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201251" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201251"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.all\.rp_filter[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201252" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201251"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv4/conf/default/rp_filter file" id="oval:org.open-scap.f14:tst:201260" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201260"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[\s]*net\.ipv4\.conf\.default\.rp_filter[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201261" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201261"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*net\.ipv4\.conf\.default\.rp_filter[\s]*=([\s]*) expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201262" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201261"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201121"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Look in /proc/net/wireless" id="oval:org.open-scap.f14:tst:20128" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20128"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="Actual file existence test" id="oval:org.open-scap.f14:tst:20129" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20129"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the &lt;:begin:&gt;alias[\s]+net-pf-10[\s]+off&lt;:end:&gt; setting in the /etc/modprobe.d/dist.conf file" id="oval:org.open-scap.f14:tst:20130" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20130"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the ^[\s]*IPV6INIT[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network file" id="oval:org.open-scap.f14:tst:20131" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20131"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20131"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network file" id="oval:org.open-scap.f14:tst:20132" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20132"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20132"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the ^[\s]*NETWORKING_IPV6[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network-scripts/ifcfg-.* file" id="oval:org.open-scap.f14:tst:20133" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20133"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20133"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="any_exist" comment="Tests the value of the ^[\s]*IPV6INIT[\s]*=[\s]*([^#]*) expression in the /etc/sysconfig/network file" id="oval:org.open-scap.f14:tst:20134" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20134"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20134"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/router_solicitations file" id="oval:org.open-scap.f14:tst:201390" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201390"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20139"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.router_solicitations[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201391" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201391"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.router_solicitations[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201392" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201391"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20139"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/accept_ra_rtr_pref file" id="oval:org.open-scap.f14:tst:201400" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201400"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_rtr_pref[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201401" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201401"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_rtr_pref[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201402" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201401"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/accept_ra_pinfo file" id="oval:org.open-scap.f14:tst:201410" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201410"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_pinfo[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201411" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201411"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_pinfo[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201412" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201411"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/accept_ra_defrtr file" id="oval:org.open-scap.f14:tst:201420" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201420"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_defrtr[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201421" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201421"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_defrtr[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201422" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201421"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/autoconf file" id="oval:org.open-scap.f14:tst:201430" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201430"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.autoconf[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201431" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201431"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.autoconf[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201432" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201431"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201120"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/dad_transmits file" id="oval:org.open-scap.f14:tst:201440" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201440"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20144"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.dad_transmits[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201441" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201441"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.dad_transmits[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201442" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201441"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20144"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /proc/sys/net/ipv6/conf/default/max_addresses file" id="oval:org.open-scap.f14:tst:201450" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201450"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20145"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of the ^[[:space:]]*net\.ipv6\.conf\.default\.max_addresses[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201451" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201451"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[[:space:]]*net\.ipv6\.conf\.default\.max_addresses[[:space:]]*=[[:space:]]*([01])[[:space:]]*$ expression in the /etc/sysctl.conf file" id="oval:org.open-scap.f14:tst:201452" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201451"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20145"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="at least one" check_existence="at_least_one_exists" comment="Check whether the ip6tables service is enabled" id="oval:org.open-scap.f14:tst:20146" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20146"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20146"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="at least one" check_existence="at_least_one_exists" comment="Check whether the iptables service is enabled" id="oval:org.open-scap.f14:tst:20147" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20147"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20146"/>
>        </unix-def:runlevel_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check /etc/sysconfig/iptables for line :INPUT DROP [0:0]" id="oval:org.open-scap.f14:tst:2014741" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2014741"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check /etc/sysconfig/iptables for line :INPUT ACCEPT [0:0]" id="oval:org.open-scap.f14:tst:2014742" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2014742"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check /etc/sysconfig/iptables for line :FORWARD DROP [0:0]" id="oval:org.open-scap.f14:tst:2014751" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2014751"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check /etc/sysconfig/iptables for line :FORWARD ACCEPT [0:0]" id="oval:org.open-scap.f14:tst:2014752" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2014752"/>
>        </ind-def:textfilecontent54_test>
>        
>        <unix-def:runlevel_test check="at least one" check_existence="at_least_one_exists" comment="Check whether rsyslogd is enabled" id="oval:org.open-scap.f14:tst:20148" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20148"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20148"/>
>        </unix-def:runlevel_test>
>        <unix-def:file_test check="all" check_existence="any_exist" comment="If any of the mandatory log files exist, their owner must be set to root" id="oval:org.open-scap.f14:tst:20149" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:201491"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20149"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="root group owns log files" id="oval:org.open-scap.f14:tst:20150" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:201491"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20150"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="log files have correct permissions" id="oval:org.open-scap.f14:tst:20151" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:201491"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20151"/>
>        </unix-def:file_test>
>        <unix-def:password_test check="all" check_existence="at_least_one_exists" comment="Check if user exists" id="oval:org.open-scap.f14:tst:201491" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:2014911"/>
>        </unix-def:password_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check if group exists" id="oval:org.open-scap.f14:tst:201501" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201501"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Tests the value of the \*\.\*[\s]+@ setting in the /etc/rsyslog.conf file" id="oval:org.open-scap.f14:tst:20152" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20152"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the SYSLOGD_OPTIONS[\s]*=[\s]*.*-r.* setting in the /etc/sysconfig/rsyslog file" id="oval:org.open-scap.f14:tst:20153" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20153"/>
>        </ind-def:textfilecontent54_test>
>        
>        <unix-def:runlevel_test check="at least one" check_existence="all_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20156" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20156"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20156"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for audit=1 in /etc/grub.conf" id="oval:org.open-scap.f14:tst:20157" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20157"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" id="oval:org.open-scap.f14:tst:2015750" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2015750"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b32 -S clock_settime -k time-change" id="oval:org.open-scap.f14:tst:2015751" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2015751"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S stime -k time-change" id="oval:org.open-scap.f14:tst:2015752" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2015752"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b64 -S clock_settime -k time-change" id="oval:org.open-scap.f14:tst:2015753" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2015753"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/localtime -p wa -k time-change" id="oval:org.open-scap.f14:tst:2015754" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2015754"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/group -p wa -k identity" id="oval:org.open-scap.f14:tst:201580" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201580"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/passwd -p wa -k identity" id="oval:org.open-scap.f14:tst:201581" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201581"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/gshadow -p wa -k identity" id="oval:org.open-scap.f14:tst:201582" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201582"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/shadow -p wa -k identity" id="oval:org.open-scap.f14:tst:201583" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201583"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/security/opasswd -p wa -k identity" id="oval:org.open-scap.f14:tst:201584" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201584"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale" id="oval:org.open-scap.f14:tst:201590" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201590"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale" id="oval:org.open-scap.f14:tst:201591" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201591"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/issue -p wa -k system-locale" id="oval:org.open-scap.f14:tst:201592" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201592"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/issue.net -p wa -k system-locale" id="oval:org.open-scap.f14:tst:201593" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201593"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/hosts -p wa -k system-locale" id="oval:org.open-scap.f14:tst:201594" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201594"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/sysconfig/network -p wa -k system-locale" id="oval:org.open-scap.f14:tst:201595" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201595"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/selinux/ -p wa -k MAC-policy" id="oval:org.open-scap.f14:tst:20160" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20160"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /var/log/faillog -p wa -k logins" id="oval:org.open-scap.f14:tst:201610" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201610"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /var/log/lastlog -p wa -k logins" id="oval:org.open-scap.f14:tst:201611" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201611"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /var/run/utmp -p wa -k session" id="oval:org.open-scap.f14:tst:201620" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201620"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /var/log/btmp -p wa -k session" id="oval:org.open-scap.f14:tst:201621" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201621"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /var/log/wtmp -p wa -k session" id="oval:org.open-scap.f14:tst:201622" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201622"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201630" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201630"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201631" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201631"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201632" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201632"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chmod -S fchmod -S fchmodat -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201633" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201633"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S chown -S fchown -S fchownat -S lchown -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201634" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201634"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid&gt;=500 -F auid!=4294967295 -k perm_mod" id="oval:org.open-scap.f14:tst:201635" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201635"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access" id="oval:org.open-scap.f14:tst:201640" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201640"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access" id="oval:org.open-scap.f14:tst:201641" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201641"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid&gt;=500 -F auid!=4294967295 -k access" id="oval:org.open-scap.f14:tst:201642" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201642"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid&gt;=500 -F auid!=4294967295 -k access" id="oval:org.open-scap.f14:tst:201643" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201643"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F path=/bin/ping -F perm=x -F auid&gt;=500 -F auid!=4294967295 -k privileged" id="oval:org.open-scap.f14:tst:20165" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20165"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export" id="oval:org.open-scap.f14:tst:201660" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201660"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=ARCH -S mount -F auid&gt;=500 -F auid!=4294967295 -k export" id="oval:org.open-scap.f14:tst:201661" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201661"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:uname_test check="all" comment="check architecture is 32 bit" id="oval:org.open-scap.f14:tst:201670" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:201670"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:201670"/>
>        </unix-def:uname_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete" id="oval:org.open-scap.f14:tst:201671" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201671"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:uname_test check="all" comment="check architecture is 64 bit" id="oval:org.open-scap.f14:tst:201672" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:201670"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:201672"/>
>        </unix-def:uname_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid&gt;=500 -F auid!=4294967295 -k delete" id="oval:org.open-scap.f14:tst:201673" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201673"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /etc/sudoers -p wa -k actions" id="oval:org.open-scap.f14:tst:20168" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20168"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /sbin/rmmod -p x -k modules" id="oval:org.open-scap.f14:tst:2016852" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2016852"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -w /sbin/modprobe -p x -k modules" id="oval:org.open-scap.f14:tst:2016853" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2016853"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="/etc/audit/audit.rules contains -a always,exit -S init_module -S delete_module -k modules" id="oval:org.open-scap.f14:tst:2016854" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2016854"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="look in /etc/audit/audit.rules for -e 2" id="oval:org.open-scap.f14:tst:20169" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20169"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20170" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20170"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20171" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20171"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Xinetd runlevel test" id="oval:org.open-scap.f14:tst:201745" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201745"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201745"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Xinetd runlevel test" id="oval:org.open-scap.f14:tst:201774" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201774"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201745"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Xinetd runlevel test" id="oval:org.open-scap.f14:tst:201775" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201775"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201745"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Xinetd runlevel test" id="oval:org.open-scap.f14:tst:201776" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201776"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201745"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Xinetd services test" id="oval:org.open-scap.f14:tst:20178" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20178"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Xinetd runlevel test" id="oval:org.open-scap.f14:tst:201825" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:201825"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:201745"/>
>        </ind-def:textfilecontent54_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The inetd package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20179" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20179"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The inetd package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20172" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20172"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The xinetd package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20173" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20173"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The telnet-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20174" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20174"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The telnet-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20175" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20175"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The telnet-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20176" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20176"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The rsh-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20177" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20177"/>
>        </lin-def:rpminfo_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The ypserv package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20180" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20180"/>
>        </lin-def:rpminfo_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20181" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20181"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The tftp-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20182" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20182"/>
>        </lin-def:rpminfo_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20183" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20183"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20184" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20184"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20185" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20185"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20186" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20186"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20187" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20187"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20188" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20188"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20189" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20189"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20190" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20190"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20191" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20191"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="check for ifcfg-interface in /etc/sysconfig/network-scripts" id="oval:org.open-scap.f14:tst:20192" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20192"/>
>        </unix-def:file_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check NOZEROCONF=yes in /etc/sysconfig/network" id="oval:org.open-scap.f14:tst:20193" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20193"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20194" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20194"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20195" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20195"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20196" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20196"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20197" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20197"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20198" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20198"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20199" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20199"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20200" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20200"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20201" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20201"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="net-pf-31 is off in /etc/modprobe.conf" id="oval:org.open-scap.f14:tst:2020151" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2020151"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="bluetooth is off in /etc/modprobe.conf" id="oval:org.open-scap.f14:tst:2020152" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2020152"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20202" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20202"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20203" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20203"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20204" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20204"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="at least one" check_existence="at_least_one_exists" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20205" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20205"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20172"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:202052" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:202052"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="Is the at package installed?" id="oval:org.open-scap.f14:tst:202053" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:202053"/>
>        </lin-def:rpminfo_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20206" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20206"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The anacron package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20207" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20207"/>
>        </lin-def:rpminfo_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20208" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20208"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20208"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20209" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20209"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20209"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20210" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20210"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20210"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20211" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20211"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20211"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20212" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20212"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20212"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20213" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20213"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20213"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20214" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20214"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20214"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20215" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20215"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20215"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20216" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20216"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20216"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20217" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20217"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20217"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20218" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20218"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20218"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20219" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20219"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20219"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20220" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20220"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20220"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20221" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20221"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20221"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20222" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20222"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20222"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20223" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20223"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20223"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20224" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20224"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20224"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20225" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20225"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20225"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20226" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20226"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20226"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20227" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20227"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20227"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20228" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20228"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20228"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20229" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20229"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20229"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20230" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20229"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20230"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20231" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20229"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20231"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="Existence check of /etc/cron.deny" id="oval:org.open-scap.f14:tst:20232" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20232"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="none_exist" comment="Existence check of /etc/at.deny" id="oval:org.open-scap.f14:tst:20233" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20233"/>
>        </unix-def:file_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20234" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20234"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20171"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The openssh-server package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20235" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20235"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Inbound connections to the ssh port should be denied" id="oval:org.open-scap.f14:tst:20236" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20236"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Inbound connections to the ssh port should be denied" id="oval:org.open-scap.f14:tst:20237" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20237"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the Protocol[\s]&lt;:nocomment:&gt;1 setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20238" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20238"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveInterval setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20239" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20239"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20239"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20240" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20240"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20240"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the IgnoreRhosts[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20241" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20241"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the HostbasedAuthentication[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20242" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20242"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PermitRootLogin[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20243" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20243"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the PermitEmptyPasswords[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20244" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20244"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the Banner[\s]+/etc/issue setting in the /etc/ssh/sshd_config file" id="oval:org.open-scap.f14:tst:20245" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20245"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Check value of PermitUserEnvironment in /etc/ssh/sshd_config" id="oval:org.open-scap.f14:tst:202455" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:202455"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Check value of Ciphers in /etc/ssh/sshd_config" id="oval:org.open-scap.f14:tst:202456" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:202456"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:202456"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the id:([^:]*):initdefault: expression in the /etc/inittab file" id="oval:org.open-scap.f14:tst:20246" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20246"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:87"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Check for existence of line exec X :0 -nolisten tcp $@ in file /etc/X11/xinit/xserverrc" id="oval:org.open-scap.f14:tst:20248" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20248"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the InfoMsgFile=/etc/issue expression in the /etc/gdm/custom.conf file" id="oval:org.open-scap.f14:tst:20249" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20249"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20250" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20250"/>
>        </unix-def:runlevel_test>
>        <ind-def:unknown_test check="all" comment="Test implementation is unknown, unavailable, or impossible" id="oval:org.open-scap.f14:tst:20251" version="1"/>
>        <ind-def:unknown_test check="all" comment="Test implementation is unknown, unavailable, or impossible" id="oval:org.open-scap.f14:tst:20252" version="1"/>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the check-response-ttl[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20253" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20253"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20253"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the disallow-other-stacks[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20254" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20254"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20254"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the disable-publishing[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20255" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20255"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20255"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the disable-user-service-publishing[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20256" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20256"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20256"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the publish-hinfo[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20257" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20257"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20257"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the publish-workstation[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20258" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20258"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20258"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the publish-addresses[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20259" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20259"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20259"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the publish-domain[\s]*=[\s]*([^#]*) expression in the /etc/avahi/avahi-daemon.conf file" id="oval:org.open-scap.f14:tst:20260" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20260"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20260"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20261" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20261"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the Browsing[\s]+([^#]*) expression in the /etc/cups/cupsd.conf file" id="oval:org.open-scap.f14:tst:20264" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20264"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20264"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the BrowseAllow[\s]+none setting in the /etc/cups/cupsd.conf file" id="oval:org.open-scap.f14:tst:20265" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20265"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20266" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20266"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the &lt;:begin:&gt;BOOTPROTO[\s]*=[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/sysconfig/network-scripts/ifcfg-eth.* file" id="oval:org.open-scap.f14:tst:20267" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20267"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20268" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20268"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The dhcp package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20269" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20269"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the ddns-update-style[\s]+none; setting in the /etc/dhcpd.conf file" id="oval:org.open-scap.f14:tst:20270" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20270"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the deny[\s]+declines; setting in the /etc/dhcpd.conf file" id="oval:org.open-scap.f14:tst:20271" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20271"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the deny[\s]+bootp; setting in the /etc/dhcpd.conf file" id="oval:org.open-scap.f14:tst:20272" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20272"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the daemon\.\*[\s]+/var/log/daemon\.log setting in the /etc/syslog.conf file" id="oval:org.open-scap.f14:tst:20280" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20280"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="any_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20281" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20281"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the restrict[\s]+default[\s]+ignore setting in the /etc/ntp.conf file" id="oval:org.open-scap.f14:tst:20282" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20282"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the /usr/local/sbin/ntpd -s setting in the /etc/rc.local file" id="oval:org.open-scap.f14:tst:20285" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20285"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20287" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20287"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the DAEMON[\s]*=[\s]*yes setting in the /etc/sysconfig/sendmail file" id="oval:org.open-scap.f14:tst:20288" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20288"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Tests the value of the tls_checkpeer[\s]+yes setting in the /etc/ldap.conf file" id="oval:org.open-scap.f14:tst:202885" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:202885"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20289" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20289"/>
>        </unix-def:runlevel_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20290" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20290"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20290"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20291" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20291"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20291"/>
>        </unix-def:file_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20292" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20292"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20293" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20293"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20294" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20294"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20295" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20295"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20296" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20296"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the LOCKD_TCPPORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20297" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20297"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the STATD_OUTGOING_PORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20298" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20298"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the STATD_PORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20299" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20299"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the LOCKD_UDPPORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20300" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20300"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the MOUNTD_PORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20301" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20301"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the RQUOTAD_PORT[\s]*=[\s]*[0-9] setting in the /etc/sysconfig/nfs file" id="oval:org.open-scap.f14:tst:20302" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20302"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20303" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20303"/>
>        </unix-def:runlevel_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20304" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20304"/>
>        </unix-def:runlevel_test>
>        
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the no_root_squash setting in the /etc/exports file" id="oval:org.open-scap.f14:tst:20308" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20308"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the insecure setting in the /etc/exports file" id="oval:org.open-scap.f14:tst:20309" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20309"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the rw setting in the /etc/exports file" id="oval:org.open-scap.f14:tst:20310" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20310"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20311" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20311"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The bind package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20312" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20312"/>
>        </lin-def:rpminfo_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20313" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20313"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20313"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing user ownership" id="oval:org.open-scap.f14:tst:20314" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20314"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20314"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20315" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20315"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20315"/>
>        </unix-def:file_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20317" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20317"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The vsftpd package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:203175" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:203175"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the banner_file[\s]*=[\s]*/etc/issue setting in the /etc/vsftpd.conf file" id="oval:org.open-scap.f14:tst:20319" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20319"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20322" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20322"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The httpd package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20323" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20323"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ServerTokens[\s]+([^#]*) expression in the /etc/httpd/conf/httpd.conf file" id="oval:org.open-scap.f14:tst:20324" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20324"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20324"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ServerSignature[\s]+([^#]*) expression in the /etc/httpd/conf/httpd.conf file" id="oval:org.open-scap.f14:tst:20325" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20325"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20325"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20326" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20326"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20326"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20327" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20327"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20327"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20328" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20328"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20328"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing group ownership" id="oval:org.open-scap.f14:tst:20329" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20329"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20329"/>
>        </unix-def:file_test>
>        <unix-def:file_test check="all" check_existence="all_exist" comment="Testing file permissions" id="oval:org.open-scap.f14:tst:20330" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20330"/>
>          <unix-def:state state_ref="oval:org.open-scap.f14:ste:20330"/>
>        </unix-def:file_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20331" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20331"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The dovecot package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20332" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20332"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the protocols[\s]*=.*imaps setting in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20333" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20333"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the protocols[\s]*=.*pop3s setting in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20334" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20334"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the protocols[\s]*=.*pop3 setting in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20335" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20335"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the protocols[\s]*=.*imap setting in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20336" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20336"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the disable_plaintext_auth[\s]*=[\s]*([^#]*) expression in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20337" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20337"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20337"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the mail_drop_priv_before_exec[\s]*=[\s]*([^#]*) expression in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20338" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20338"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20338"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the login_process_per_connection[\s]*=[\s]*([^#]*) expression in the /etc/dovecot.conf file" id="oval:org.open-scap.f14:tst:20339" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20339"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20339"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20340" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20340"/>
>        </unix-def:runlevel_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="none_exist" comment="check guest access in /etc/samba/smb.conf" id="oval:org.open-scap.f14:tst:203403" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:203403"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for client signing = mandatory in /etc/samba/smb.conf" id="oval:org.open-scap.f14:tst:2034010" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:2034010"/>
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for sec=krb5i or sec=ntlmv2i in /etc/fstab" id="oval:org.open-scap.f14:tst:20340111" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20340111"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20340111"/>
>          
>        </ind-def:textfilecontent54_test>
>        
>        <ind-def:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="check for sec=krb5i or sec=ntlmv2i in /etc/mtab" id="oval:org.open-scap.f14:tst:20340112" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20340112"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20340111"/>
>          
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20341" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20341"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The squid package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20342" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20342"/>
>        </lin-def:rpminfo_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ftp_passive[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20343" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20343"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20343"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ftp_sanitycheck[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20344" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20344"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20344"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the check_hostnames[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20345" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20345"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20345"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the request_header_max_size[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20346" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20346"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20346"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the reply_header_max_size[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20347" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20347"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20347"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the cache_effective_user[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20348" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20348"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20348"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the cache_effective_group[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20349" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20349"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20349"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ignore_unknown_nameservers[\s][\s]([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20350" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20350"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20350"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the allow_underscore[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20351" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20351"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20351"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the http_suppress_version_string[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20352" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20352"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20352"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the forwarded_for[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20353" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20353"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20353"/>
>        </ind-def:textfilecontent54_test>
>        <ind-def:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the log_mime_hdrs[\s]+([^#]*) expression in the /etc/squid/squid.conf file" id="oval:org.open-scap.f14:tst:20354" version="1">
>          <ind-def:object object_ref="oval:org.open-scap.f14:obj:20354"/>
>          <ind-def:state state_ref="oval:org.open-scap.f14:ste:20354"/>
>        </ind-def:textfilecontent54_test>
>        <unix-def:runlevel_test check="all" check_existence="none_exist" comment="Runlevel test" id="oval:org.open-scap.f14:tst:20365" version="1">
>          <unix-def:object object_ref="oval:org.open-scap.f14:obj:20365"/>
>        </unix-def:runlevel_test>
>        <lin-def:rpminfo_test check="all" check_existence="none_exist" comment="The net-snmp package should be installed or not as appropriate" id="oval:org.open-scap.f14:tst:20366" version="1">
>          <lin-def:object object_ref="oval:org.open-scap.f14:obj:20366"/>
>        </lin-def:rpminfo_test>
>      </tests>
>      <objects>
>        <ind-def:textfilecontent54_object comment="look for the partition mount point in /etc/fstab" id="oval:org.open-scap.f14:obj:20000" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>fstab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*[^[:space:]]+[[:space:]]+([^[:space:]]+)[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+[[:space:]]+[^[:space:]]+</ind-def:pattern>
>          
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="Check existance of yum.cron" id="oval:org.open-scap.f14:obj:20009" version="1">
>          <unix-def:path operation="pattern match">^/etc/cron\.(hourly|daily|weekly|monthly)$</unix-def:path>
>          <unix-def:filename>0yum.cron</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object comment="look for the value of gpgcheck in /etc/yum.conf" id="oval:org.open-scap.f14:obj:20010" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>yum.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*([0-1])</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="equals">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="look for the value of gpgcheck= in /etc/yum.repos.d" id="oval:org.open-scap.f14:obj:20011" version="1">
>          <ind-def:path>/etc/yum.repos.d</ind-def:path>
>          <ind-def:filename operation="pattern match">.*</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*gpgcheck[[:space:]]*=[[:space:]]*([0-1])</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="equals">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="look for the value of repo_gpgcheck in /etc/yum.conf" id="oval:org.open-scap.f14:obj:20012" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>yum.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*repo_gpgcheck[[:space:]]*=[[:space:]]*([0-1])</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="equals">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="look for the value of repo_gpgcheck= in /etc/yum.repos.d" id="oval:org.open-scap.f14:obj:20013" version="1">
>          <ind-def:path>/etc/yum.repos.d</ind-def:path>
>          <ind-def:filename operation="pattern match">.*</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*repo_gpgcheck[[:space:]]*=[[:space:]]*([0-1])</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="equals">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="file systems defined in /etc/fstab" id="oval:org.open-scap.f14:obj:20016" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>fstab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^#]*\/.+*ext[234]([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="file systems defined in /etc/mtab" id="oval:org.open-scap.f14:obj:200162" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>mtab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^#]*\/[^[:space:]]*ext[234]([^#])?</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:10000" version="1">
>          <lin-def:name>redhat-release</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:200065" version="1">
>          <lin-def:name>gpg-pubkey</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:family_object id="oval:org.open-scap.f14:obj:10001" version="1"/>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20008" version="1">
>          <unix-def:service_name>yum-updatesd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20014" version="1">
>          <lin-def:name>aide</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object comment="&lt;console&gt; and &lt;xconsole&gt; in /etc/security/console.perms.d/50-default.perms" id="oval:org.open-scap.f14:obj:20020" version="1">
>          <ind-def:path>/etc/security/console.perms.d</ind-def:path>
>          <ind-def:filename>50-default.perms</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*(&lt;console&gt;|&lt;xconsole&gt;)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/lib/modules/*/kernel/drivers/usb/storage/usb-storage.ko" id="oval:org.open-scap.f14:obj:20022" version="1">
>          <unix-def:path operation="pattern match">/lib/modules/.*/kernel/drivers/usb/storage</unix-def:path>
>          <unix-def:filename>usb-storage.ko</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20023" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>grub.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*kernel[^#]nousb</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20025" version="1">
>          <unix-def:service_name>autofs</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:20026" version="1">
>          <ind-def:path>/etc/gconf</ind-def:path>
>          <ind-def:filename>gconf.xml.mandatory</ind-def:filename>
>          <ind-def:xpath>/desktop/gnome/volume_manager/automount_(media)|(drives)</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <ind-def:textfilecontent54_object comment="Check in /etc/modprobe.conf for modules being loaded" id="oval:org.open-scap.f14:obj:20027" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>blacklist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^#]*blacklist[[:space:]]+([^#]*)$</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/etc/shadow" id="oval:org.open-scap.f14:obj:20034" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>shadow</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/group" id="oval:org.open-scap.f14:obj:20036" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>group</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/gshadow" id="oval:org.open-scap.f14:obj:20038" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>gshadow</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/passwd" id="oval:org.open-scap.f14:obj:20040" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>passwd</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files" id="oval:org.open-scap.f14:obj:200461" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20046</object_reference>
>            <filter>oval:org.open-scap.f14:ste:200462</filter>
>          </set>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local directories" id="oval:org.open-scap.f14:obj:20046" version="1">
>          <unix-def:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local"/>
>          <unix-def:path>/</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files" id="oval:org.open-scap.f14:obj:200471" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20047</object_reference>
>            <filter>oval:org.open-scap.f14:ste:200471</filter>
>            <filter>oval:org.open-scap.f14:ste:200472</filter>
>          </set>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files" id="oval:org.open-scap.f14:obj:20047" version="1">
>          <unix-def:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local"/>
>          <unix-def:path>/</unix-def:path>
>          <unix-def:filename operation="pattern match">.*</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files with sgid bit set" id="oval:org.open-scap.f14:obj:20048" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20047</object_reference>
>            <filter>oval:org.open-scap.f14:ste:200481</filter>
>            <filter>oval:org.open-scap.f14:ste:200482</filter>
>            <filter>oval:org.open-scap.f14:ste:200483</filter>
>            <filter>oval:org.open-scap.f14:ste:200484</filter>
>            <filter>oval:org.open-scap.f14:ste:200485</filter>
>            <filter>oval:org.open-scap.f14:ste:200486</filter>
>            <filter>oval:org.open-scap.f14:ste:200487</filter>
>            <filter>oval:org.open-scap.f14:ste:200488</filter>
>          </set>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files with suid bit set" id="oval:org.open-scap.f14:obj:20049" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20047</object_reference>
>            <filter>oval:org.open-scap.f14:ste:2004901</filter>
>            <filter>oval:org.open-scap.f14:ste:2004902</filter>
>            <filter>oval:org.open-scap.f14:ste:2004903</filter>
>            <filter>oval:org.open-scap.f14:ste:2004904</filter>
>            <filter>oval:org.open-scap.f14:ste:2004905</filter>
>            <filter>oval:org.open-scap.f14:ste:2004906</filter>
>            <filter>oval:org.open-scap.f14:ste:2004907</filter>
>            <filter>oval:org.open-scap.f14:ste:2004908</filter>
>            <filter>oval:org.open-scap.f14:ste:2004909</filter>
>            <filter>oval:org.open-scap.f14:ste:2004910</filter>
>            <filter>oval:org.open-scap.f14:ste:2004911</filter>
>            <filter>oval:org.open-scap.f14:ste:2004912</filter>
>            <filter>oval:org.open-scap.f14:ste:2004913</filter>
>            <filter>oval:org.open-scap.f14:ste:2004914</filter>
>            <filter>oval:org.open-scap.f14:ste:2004915</filter>
>            <filter>oval:org.open-scap.f14:ste:2004916</filter>
>          </set>
>        </unix-def:file_object>
>        <unix-def:file_object comment="all local files without a valid user assigned" id="oval:org.open-scap.f14:obj:20050" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20047</object_reference>
>            <filter>oval:org.open-scap.f14:ste:20050</filter>
>          </set>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200501" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>passwd</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^:]+:[^:]+:([[:digit:]]+):[[:digit:]]+:[^:]*:[^:]+:[^:]*</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="all local files without a valid group assigned" id="oval:org.open-scap.f14:obj:20051" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20047</object_reference>
>            <filter>oval:org.open-scap.f14:ste:20051</filter>
>          </set>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200511" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^:]+:[^:]*:([[:digit:]]+):[^:]*</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="world writable directories with uid not less than 500" id="oval:org.open-scap.f14:obj:20052" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:20046</object_reference>
>            <filter>oval:org.open-scap.f14:ste:20052</filter>
>          </set>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20053" version="1">
>          <ind-def:path>/etc/rc.d/init.d</ind-def:path>
>          <ind-def:filename>functions</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*umask[[:space:]]+([[:digit:]]+).*</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20055" version="1">
>          <ind-def:path>/etc/security</ind-def:path>
>          <ind-def:filename>limits.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*\*[[:space:]]+hard[[:space:]]+core[[:space:]]+([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20056" version="1">
>          <ind-def:path>/proc/sys/fs</ind-def:path>
>          <ind-def:filename>suid_dumpable</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^(.*)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20058" version="1">
>          <ind-def:path>/proc/sys/kernel</ind-def:path>
>          <ind-def:filename>randomize_va_space</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^(.*)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20057" version="1">
>          <ind-def:path>/proc/sys/kernel</ind-def:path>
>          <ind-def:filename>exec-shield</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^(.*)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20061" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>securetty</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*tty[0-9]+[[:space:]]*(#.*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20062" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>securetty</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*vc\/[0-9]+[[:space:]]*(#.*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20063" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>securetty</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*console[[:space:]]*(#.*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20064" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>securetty</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ttyS[0-9]+[[:space:]]*(#.*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20065" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*wheel.*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20066" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>su</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_wheel\.so[[:space:]]+use_uid([[[:space:]]#].*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20067" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sudoers</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*%wheel[[:space:]]+ALL=$ALL$[[:space:]]+ALL</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:20068" version="1">
>          <unix-def:username operation="not equal">root</unix-def:username>
>        </unix-def:password_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20069" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>shadow</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^:]*::</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:200695" version="1">
>          <unix-def:username operation="pattern match">.*</unix-def:username>
>        </unix-def:password_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20070" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>passwd</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([^:]+):[^:]*:0:.*</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20071" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^PASS_MIN_LEN[[:space:]]*(.*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20072" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^PASS_MIN_DAYS[[:space:]]*(.*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20073" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^PASS_MAX_DAYS[[:space:]]*(.*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20074" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^PASS_WARN_AGE[[:space:]]*(.*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20075" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>passwd</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\+:</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20076" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\+:</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20077" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>passwd</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\+:</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200781" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*retry=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200782" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*minlen=([1-9][[:digit:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200783" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*dcredit=([-]?[[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200784" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*ucredit=([-]?[[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200785" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*ocredit=([-]?[[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200786" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*lcredit=([-]?[[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200787" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*password[[:space:]]+required[[:space:]]+pam_cracklib\.so[[:space:]]+try_first_pass[[:space:]]+.*difok=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:variable_object id="oval:org.open-scap.f14:obj:200800" version="1">
>          <ind-def:var_ref>oval:org.open-scap.f14:var:200803</ind-def:var_ref>
>        </ind-def:variable_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2008011" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_tally2\.so[[:space:]]+onerr\=fail[[:space:]]+.*deny=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2008012" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_tally2\.so[[:space:]]+onerr\=fail[[:space:]]+.*[^u][^n]lock_time=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2008013" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*auth[[:space:]]+required[[:space:]]+pam_tally2\.so[[:space:]]+onerr\=fail[[:space:]]+.*unlock_time=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200803" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*account[[:space:]]+required[[:space:]]+pam_tally2\.so$</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="equals">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/usr/sbin/userhelper" id="oval:org.open-scap.f14:obj:20081" version="1">
>          <unix-def:path>/usr/sbin</unix-def:path>
>          <unix-def:filename>userhelper</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:variable_object id="oval:org.open-scap.f14:obj:200831" version="1">
>          <ind-def:var_ref>oval:org.open-scap.f14:var:20083</ind-def:var_ref>
>        </ind-def:variable_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200832" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^MD5_CRYPT_ENAB[[:space:]]+(yes|no)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200833" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>login.defs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^ENCRYPT_METHOD[[:space:]]+(MD5|SHA256|SHA512)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200834" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^password[[:space:]]+sufficient[[:space:]]+pam_unix\.so[[:space:]]+(sha256|sha512)*|^password[[:space:]]+required[[:space:]]+pam_unix\.so[[:space:]]+(sha256|sha512)*</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200835" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>libuser.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^crypt_style[[:space:]]+\=[[:space:]]+(sha256|sha512)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:variable_object id="oval:org.open-scap.f14:obj:200841" version="1">
>          <ind-def:var_ref>oval:org.open-scap.f14:var:20084</ind-def:var_ref>
>        </ind-def:variable_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:200842" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename>system-auth</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^password[[:space:]]+sufficient[[:space:]]+pam_unix\.so[[:space:]]+.*remember=([[:digit:]]+)|^password[[:space:]]+required[[:space:]]+pam_unix\.so[[:space:]]+.*remember=([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:environmentvariable_object id="oval:org.open-scap.f14:obj:20085" version="1">
>          <ind-def:name>PATH</ind-def:name>
>        </ind-def:environmentvariable_object>
>        <unix-def:file_object comment="root's PATH filtered" id="oval:org.open-scap.f14:obj:2008551" version="1">
>          <set set_operator="UNION">
>            <object_reference>oval:org.open-scap.f14:obj:200855</object_reference>
>            <filter>oval:org.open-scap.f14:ste:2008551</filter>
>          </set>
>        </unix-def:file_object>
>        <unix-def:file_object comment="root's PATH" id="oval:org.open-scap.f14:obj:200855" version="1">
>          <unix-def:path var_check="at least one" var_ref="oval:org.open-scap.f14:var:200855"/>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/home/*" id="oval:org.open-scap.f14:obj:20086" version="1">
>          <unix-def:behaviors max_depth="1" recurse="directories" recurse_direction="down"/>
>          <unix-def:path>/home</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20087" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>bashrc</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*umask[[:space:]]+([[:alnum:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20088" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>csh.cshrc</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*umask[[:space:]]+([[:alnum:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/boot/grub/grub.conf" id="oval:org.open-scap.f14:obj:20092" version="1">
>          <unix-def:path>/boot/grub</unix-def:path>
>          <unix-def:filename>grub.conf</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/boot/grub/grub.conf" id="oval:org.open-scap.f14:obj:20094" version="1">
>          <unix-def:path>/boot/grub</unix-def:path>
>          <unix-def:filename>grub.conf</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20095" version="1">
>          <ind-def:path>/boot/grub</ind-def:path>
>          <ind-def:filename>grub.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">password[[:space:]]+--md5[[:space:]]+.*</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/etc/grub.conf" id="oval:org.open-scap.f14:obj:20093" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>grub.conf</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:73" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>inittab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">~~:S:wait:/sbin/sulogin</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20096" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>init</ind-def:filename>
>          <ind-def:pattern operation="pattern match">PROMPT[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20098" version="1">
>          <ind-def:path>/etc/profile.d</ind-def:path>
>          <ind-def:filename>autologout.csh</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*set[\s]+-r[\s]+autologout[\s]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:20100" version="1">
>          <ind-def:path>/etc/gconf/gconf.xml.defaults</ind-def:path>
>          <ind-def:filename>%gconf-tree.xml</ind-def:filename>
>          <ind-def:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_delay']/local_schema[1]/default[1]/@value</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:201005" version="1">
>          <ind-def:path>/etc/gconf/gconf.xml.defaults</ind-def:path>
>          <ind-def:filename>%gconf-tree.xml</ind-def:filename>
>          <ind-def:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='idle_activation_enabled']/local_schema[1]/default[1]/@value</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:201006" version="1">
>          <ind-def:path>/etc/gconf/gconf.xml.defaults</ind-def:path>
>          <ind-def:filename>%gconf-tree.xml</ind-def:filename>
>          <ind-def:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='lock_enabled']/local_schema[1]/default[1]/@value</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:201007" version="1">
>          <ind-def:path>/etc/gconf/gconf.xml.defaults</ind-def:path>
>          <ind-def:filename>%gconf-tree.xml</ind-def:filename>
>          <ind-def:xpath>/gconf/dir[@name='schemas']/dir[@name='apps']/dir[@name='gnome-screensaver']/entry[@name='mode']/local_schema[1]/default[1]/stringvalue[1]/text()</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20101" version="1">
>          <lin-def:name>vlock</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20102" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>issue</ind-def:filename>
>          <ind-def:pattern operation="pattern match">(.*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:xmlfilecontent_object id="oval:org.open-scap.f14:obj:20103" version="1">
>          <ind-def:path>/usr/share/gdm/themes/RHEL</ind-def:path>
>          <ind-def:filename>RHEL.xml</ind-def:filename>
>          <ind-def:xpath>/greeter/item[@id='banner']/box[1]/item[@id='DOD_Banner']/text[1]</ind-def:xpath>
>        </ind-def:xmlfilecontent_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20104" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>grub.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">[[:space:]]selinux=([^[:space:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20105" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>grub.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">[[:space:]]enforcing=([^[:space:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20106" version="1">
>          <ind-def:path>/etc/selinux</ind-def:path>
>          <ind-def:filename>config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*SELINUX[[:space:]]*=[[:space:]]*([[:alnum:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20107" version="1">
>          <ind-def:path>/etc/selinux</ind-def:path>
>          <ind-def:filename>config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*SELINUXTYPE[[:space:]]*=[[:space:]]*([[:alnum:]]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20109" version="1">
>          <unix-def:service_name>setroubleshoot</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20108" version="1">
>          <lin-def:name>setroubleshoot</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20110" version="1">
>          <unix-def:service_name>mcstrans</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20111" version="1">
>          <unix-def:service_name>restorecond</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201120" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/default</ind-def:path>
>          <ind-def:filename>send_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201121" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.default\.send_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201130" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>send_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201131" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.send_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201140" version="1">
>          <ind-def:path>/proc/sys/net/ipv4</ind-def:path>
>          <ind-def:filename>ip_forward</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201141" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.ip_forward[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201150" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>accept_source_route</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201151" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.accept_source_route[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201160" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>accept_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201161" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.accept_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201170" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>secure_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201171" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.secure_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201180" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>log_martians</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201181" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.log_martians[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201190" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/default</ind-def:path>
>          <ind-def:filename>accept_source_route</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201191" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.default\.accept_source_route[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201200" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/default</ind-def:path>
>          <ind-def:filename>accept_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201201" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.default\.accept_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201210" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/default</ind-def:path>
>          <ind-def:filename>secure_redirects</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201211" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.default\.secure_redirects[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201220" version="1">
>          <ind-def:path>/proc/sys/net/ipv4</ind-def:path>
>          <ind-def:filename>icmp_echo_ignore_broadcasts</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201221" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.icmp_echo_ignore_broadcasts[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201230" version="1">
>          <ind-def:path>/proc/sys/net/ipv4</ind-def:path>
>          <ind-def:filename>icmp_ignore_bogus_error_responses</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201231" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.icmp_ignore_bogus_error_responses[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201240" version="1">
>          <ind-def:path>/proc/sys/net/ipv4</ind-def:path>
>          <ind-def:filename>tcp_syncookies</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201241" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.tcp_syncookies[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201250" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/all</ind-def:path>
>          <ind-def:filename>rp_filter</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201251" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.all\.rp_filter[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201260" version="1">
>          <ind-def:path>/proc/sys/net/ipv4/conf/default</ind-def:path>
>          <ind-def:filename>rp_filter</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201261" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv4\.conf\.default\.rp_filter[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20128" version="1">
>          <ind-def:path>/proc/net</ind-def:path>
>          <ind-def:filename>wireless</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*([^[:space:]]*):.*</ind-def:pattern>
>          <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/lib/modules/*/kernel/drivers/net/wireless" id="oval:org.open-scap.f14:obj:20129" version="1">
>          <unix-def:path operation="pattern match">/lib/modules/.*/kernel/drivers/net/wireless$</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20130" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>dist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*alias[[:space:]]+net-pf-10[[:space:]]+off[[:space:]]*(#.*)?$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20132" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>network</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*NETWORKING_IPV6[[:space:]]*=[[:space:]]*([^#]*).*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20133" version="1">
>          <ind-def:path>/etc/sysconfig/network-scripts</ind-def:path>
>          <ind-def:filename operation="pattern match">ifcfg-.*</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*NETWORKING_IPV6[[:space:]]*=[[:space:]]*([^#]*).*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20131" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>network</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*IPV6INIT[[:space:]]*=[[:space:]]*([^#]*).*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20134" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>network</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*IPV6INIT[[:space:]]*=[[:space:]]*([^#]*).*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201400" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>accept_ra_rtr_pref</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201401" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_rtr_pref[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201450" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>max_addresses</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([0-9]+)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201451" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.max_addresses[[:space:]]*=[[:space:]]*([0-9]+)[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201390" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>router_solicitations</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([0-9]+)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201391" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.router_solicitations[[:space:]]*=[[:space:]]*([0-9]+)[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201440" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>dad_transmits</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([0-9]+)$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201441" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.dad_transmits[[:space:]]*=[[:space:]]*([0-9]+)[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201430" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>autoconf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201431" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.autoconf[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201410" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>accept_ra_pinfo</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201411" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_pinfo[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201420" version="1">
>          <ind-def:path>/proc/sys/net/ipv6/conf/default</ind-def:path>
>          <ind-def:filename>accept_ra_defrtr</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^([01])$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201421" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>sysctl.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*net\.ipv6\.conf\.default\.accept_ra_defrtr[[:space:]]*=[[:space:]]*([01])[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20146" version="1">
>          <unix-def:service_name>ip6tables</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20147" version="1">
>          <unix-def:service_name>iptables</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2014741" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>iptables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*:INPUT[:space:]DROP[:space:]\[0:0\]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2014742" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>iptables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*:INPUT[:space:]ACCEPT[:space:]\[0:0\]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2014751" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>iptables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*:FORWARD[:space:]DROP[:space:]\[0:0\]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2014752" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>iptables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*:FORWARD[:space:]ACCEPT[:space:]\[0:0\]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201476" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>dist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*install[[:space:]]+DCCP[[:space:]]+/bin/true</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201477" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>dist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*install[[:space:]]+SCTP[[:space:]]+/bin/true</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201478" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>dist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*install[[:space:]]+RDS[[:space:]]+/bin/true</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201479" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename>dist.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*install[[:space:]]+TIPC[[:space:]]+/bin/true</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20148" version="1">
>          <unix-def:service_name>rsyslog</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object comment="paths in /etc/syslog.conf" id="oval:org.open-scap.f14:obj:201490" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>rsyslog.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^\#][[:space:]]*[^[:space:]]+\.[^[:space:]]+[[:space:]]+[\-]?([^[:space:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="Mandatory log files" id="oval:org.open-scap.f14:obj:201491" version="1">
>          <unix-def:behaviors max_depth="4" recurse="directories" recurse_direction="down"/>
>          <unix-def:path>/var/log</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:201490"/>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20152" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>rsyslog.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[^#]*\*\.\*[[:space:]]+@</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20153" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>rsyslog</ind-def:filename>
>          <ind-def:pattern operation="pattern match">SYSLOGD_OPTIONS[[:space:]]*=[[:space:]]*.*-r.*</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        
>        
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20156" version="1">
>          <unix-def:service_name>auditd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20157" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>grub.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*kernel.+[[:space:]]audit=1</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2015750" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]adjtimex[[:space:]]\-S[[:space:]]settimeofday[[:space:]]\-S[[:space:]]stime[[:space:]]\-k[[:space:]]time\-change$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2015751" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]clock_settime[[:space:]]\-k[[:space:]]time\-change$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2015752" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]adjtimex[[:space:]]\-S[[:space:]]settimeofday[[:space:]]\-S[[:space:]]stime[[:space:]]\-k[[:space:]]time\-change$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2015753" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]clock_settime[[:space:]]\-k[[:space:]]time\-change$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2015754" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/localtime[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]time\-change$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201580" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/group[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]identity$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201581" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/passwd[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]identity$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201582" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/gshadow[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]identity$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201583" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/shadow[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]identity$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201584" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/security/opasswd[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]identity$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201590" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]exit,always[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]sethostname[[:space:]]\-S[[:space:]]setdomainname[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201591" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]exit,always[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]sethostname[[:space:]]\-S[[:space:]]setdomainname[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201592" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/issue[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201593" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/issue\.net[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201594" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/hosts[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201595" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/sysconfig/network[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]system\-locale$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20160" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/selinux/[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]MAC\-policy$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201610" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/var/log/faillog[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]logins$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201611" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/var/log/lastlog[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]logins$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201620" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/var/run/utmp[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]session$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201621" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/var/log/btmp[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]session$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201622" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/var/log/wtmp[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]session$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201630" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]chmod[[:space:]]\-S[[:space:]]fchmod[[:space:]]\-S[[:space:]]fchmodat[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201631" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]chown[[:space:]]\-S[[:space:]]fchown[[:space:]]\-S[[:space:]]fchownat[[:space:]]\-S[[:space:]]lchown[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201632" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]setxattr[[:space:]]\-S[[:space:]]lsetxattr[[:space:]]\-S[[:space:]]fsetxattr[[:space:]]\-S[[:space:]]removexattr[[:space:]]\-S[[:space:]]lremovexattr[[:space:]]\-S[[:space:]]fremovexattr[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201633" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]chmod[[:space:]]\-S[[:space:]]fchmod[[:space:]]\-S[[:space:]]fchmodat[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201634" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]chown[[:space:]]\-S[[:space:]]fchown[[:space:]]\-S[[:space:]]fchownat[[:space:]]\-S[[:space:]]lchown[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201635" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]setxattr[[:space:]]\-S[[:space:]]lsetxattr[[:space:]]\-S[[:space:]]fsetxattr[[:space:]]\-S[[:space:]]removexattr[[:space:]]\-S[[:space:]]lremovexattr[[:space:]]\-S[[:space:]]fremovexattr[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]perm_mod$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201640" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]creat[[:space:]]\-S[[:space:]]open[[:space:]]\-S[[:space:]]openat[[:space:]]\-S[[:space:]]truncate[[:space:]]\-S[[:space:]]ftruncate[[:space:]]\-F[[:space:]]exit=\-EACCES[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]access$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201641" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]creat[[:space:]]\-S[[:space:]]open[[:space:]]\-S[[:space:]]openat[[:space:]]\-S[[:space:]]truncate[[:space:]]\-S[[:space:]]ftruncate[[:space:]]\-F[[:space:]]exit=\-EPERM[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]access$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201642" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]creat[[:space:]]\-S[[:space:]]open[[:space:]]\-S[[:space:]]openat[[:space:]]\-S[[:space:]]truncate[[:space:]]\-S[[:space:]]ftruncate[[:space:]]\-F[[:space:]]exit=\-EACCES[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]access$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201643" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]creat[[:space:]]\-S[[:space:]]open[[:space:]]\-S[[:space:]]openat[[:space:]]\-S[[:space:]]truncate[[:space:]]\-S[[:space:]]ftruncate[[:space:]]\-F[[:space:]]exit=\-EPERM[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]access$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20165" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]-F[[:space:]]path=/bin/ping[[:space:]]-F perm=x[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]privileged</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201660" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]mount[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]export$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201661" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]mount[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]export$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:uname_object id="oval:org.open-scap.f14:obj:201670" version="1"/>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201671" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b32[[:space:]]\-S[[:space:]]unlink[[:space:]]\-S[[:space:]]unlinkat[[:space:]]\-S[[:space:]]rename[[:space:]]\-S[[:space:]]renameat[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]delete$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201673" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-F[[:space:]]arch=b64[[:space:]]\-S[[:space:]]unlink[[:space:]]\-S[[:space:]]unlinkat[[:space:]]\-S[[:space:]]rename[[:space:]]\-S[[:space:]]renameat[[:space:]]\-F[[:space:]]auid&gt;=500[[:space:]]\-F[[:space:]]auid!=4294967295[[:space:]]\-k[[:space:]]delete$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20168" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/etc/sudoers[[:space:]]\-p[[:space:]]wa[[:space:]]\-k[[:space:]]actions</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2016851" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/sbin/insmod[[:space:]]\-p[[:space:]]x[[:space:]]\-k[[:space:]]modules</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2016852" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/sbin/rmmod[[:space:]]\-p[[:space:]]x[[:space:]]\-k[[:space:]]modules</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2016853" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-w[[:space:]]/sbin/modprobe[[:space:]]\-p[[:space:]]x[[:space:]]\-k[[:space:]]modules</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2016854" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-a[[:space:]]always,exit[[:space:]]\-S[[:space:]]init_module[[:space:]]\-S[[:space:]]delete_module[[:space:]]\-k[[:space:]]modules</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201745" version="1">
>          <ind-def:path>/etc/xinetd.d</ind-def:path>
>          <ind-def:filename>telnet</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:2017"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201774" version="1">
>          <ind-def:path>/etc/xinetd.d</ind-def:path>
>          <ind-def:filename>rcp</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:2017"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201775" version="1">
>          <ind-def:path>/etc/xinetd.d</ind-def:path>
>          <ind-def:filename>rsh</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:2017"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201776" version="1">
>          <ind-def:path>/etc/xinetd.d</ind-def:path>
>          <ind-def:filename>rlogin</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:2017"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:201825" version="1">
>          <ind-def:path>/etc/xinetd.d</ind-def:path>
>          <ind-def:filename>tftp</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:2017"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20178" version="1">
>          <ind-def:path>/etc/pam.d</ind-def:path>
>          <ind-def:filename operation="pattern match">.*</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*.*pam_rhosts</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20169" version="1">
>          <ind-def:path>/etc/audit</ind-def:path>
>          <ind-def:filename>audit.rules</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^\-e[[:space:]]2</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20170" version="1">
>          <unix-def:service_name>inetd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20171" version="1">
>          <unix-def:service_name>xinetd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20179" version="1">
>          <lin-def:name>rsh</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20172" version="1">
>          <lin-def:name>inetd</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20173" version="1">
>          <lin-def:name>xinetd</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20174" version="1">
>          <lin-def:name>telnet-server</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20175" version="1">
>          <lin-def:name>telnet</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20176" version="1">
>          <lin-def:name>krb5-workstation</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20177" version="1">
>          <lin-def:name>rsh-server</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20181" version="1">
>          <unix-def:service_name>ypbind</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20180" version="1">
>          <lin-def:name>ypserv</lin-def:name>
>        </lin-def:rpminfo_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20182" version="1">
>          <lin-def:name>tftp-server</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20183" version="1">
>          <unix-def:service_name>firstboot</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20184" version="1">
>          <unix-def:service_name>gpm</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20185" version="1">
>          <unix-def:service_name>irqbalance</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20186" version="1">
>          <unix-def:service_name>isdn</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20187" version="1">
>          <unix-def:service_name>kdump</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20188" version="1">
>          <unix-def:service_name>kudzu</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20189" version="1">
>          <unix-def:service_name>mdmonitor</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20190" version="1">
>          <unix-def:service_name>microcode_ctl</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20191" version="1">
>          <unix-def:service_name>network</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:file_object comment="Check existance of yum.cron" id="oval:org.open-scap.f14:obj:20192" version="1">
>          <unix-def:path>/etc/sysconfig/network-scripts</unix-def:path>
>          <unix-def:filename operation="pattern match">ifcfg-[^l][^o].*</unix-def:filename>
>        </unix-def:file_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20193" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>network</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[:space:]*NOZEROCONF=yes</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20194" version="1">
>          <unix-def:service_name>pcscd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20195" version="1">
>          <unix-def:service_name>smartd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20196" version="1">
>          <unix-def:service_name>readahead_early</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20197" version="1">
>          <unix-def:service_name>readahead_later</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20198" version="1">
>          <unix-def:service_name>messagebus</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20199" version="1">
>          <unix-def:service_name>haldaemon</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20200" version="1">
>          <unix-def:service_name>bluetooth</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20201" version="1">
>          <unix-def:service_name>hidd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2020151" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename operation="pattern match">.*\.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">alias[:space:]net\-pf\-31[:space:]off</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2020152" version="1">
>          <ind-def:path>/etc/modprobe.d</ind-def:path>
>          <ind-def:filename operation="pattern match">.*\.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">alias[:space:]bluetooth[:space:]off</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20202" version="1">
>          <unix-def:service_name>apmd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20203" version="1">
>          <unix-def:service_name>acpid</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20204" version="1">
>          <unix-def:service_name>cpuspeed</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20205" version="1">
>          <unix-def:service_name>crond</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:202052" version="1">
>          <unix-def:service_name>atd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:202053" version="1">
>          <lin-def:name>at</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20206" version="1">
>          <unix-def:service_name>anacron</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20207" version="1">
>          <lin-def:name>cronie-anacron</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:file_object comment="/etc/cron.monthly" id="oval:org.open-scap.f14:obj:20217" version="1">
>          <unix-def:path>/etc/cron.monthly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.daily" id="oval:org.open-scap.f14:obj:20225" version="1">
>          <unix-def:path>/etc/cron.daily</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.weekly" id="oval:org.open-scap.f14:obj:20216" version="1">
>          <unix-def:path>/etc/cron.weekly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/crontab" id="oval:org.open-scap.f14:obj:20209" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>crontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:202091" version="1">
>          <unix-def:username operation="equals" var_ref="oval:org.open-scap.f14:var:20209"/>
>        </unix-def:password_object>
>        <unix-def:file_object comment="/etc/anacrontab" id="oval:org.open-scap.f14:obj:20212" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>anacrontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:202121" version="1">
>          <unix-def:username operation="equals" var_ref="oval:org.open-scap.f14:var:20212"/>
>        </unix-def:password_object>
>        <unix-def:file_object comment="/etc/crontab" id="oval:org.open-scap.f14:obj:20210" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>crontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.hourly" id="oval:org.open-scap.f14:obj:20214" version="1">
>          <unix-def:path>/etc/cron.hourly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.monthly" id="oval:org.open-scap.f14:obj:20222" version="1">
>          <unix-def:path>/etc/cron.monthly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.d" id="oval:org.open-scap.f14:obj:20218" version="1">
>          <unix-def:behaviors recurse="symlinks and directories"/>
>          <unix-def:path>/etc/cron.d</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.d" id="oval:org.open-scap.f14:obj:20223" version="1">
>          <unix-def:behaviors recurse="symlinks and directories"/>
>          <unix-def:path>/etc/cron.d</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.weekly" id="oval:org.open-scap.f14:obj:20221" version="1">
>          <unix-def:path>/etc/cron.weekly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/anacrontab" id="oval:org.open-scap.f14:obj:20211" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>anacrontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.hourly" id="oval:org.open-scap.f14:obj:20224" version="1">
>          <unix-def:path>/etc/cron.hourly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.hourly" id="oval:org.open-scap.f14:obj:20219" version="1">
>          <unix-def:path>/etc/cron.hourly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:202191" version="1">
>          <unix-def:username operation="equals" var_ref="oval:org.open-scap.f14:var:20219"/>
>        </unix-def:password_object>
>        <unix-def:password_object id="oval:org.open-scap.f14:obj:2014911" version="1">
>          <unix-def:username operation="equals" var_ref="oval:org.open-scap.f14:var:20149"/>
>        </unix-def:password_object>
>        <unix-def:file_object comment="/etc/crontab" id="oval:org.open-scap.f14:obj:20208" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>crontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.daily" id="oval:org.open-scap.f14:obj:20220" version="1">
>          <unix-def:path>/etc/cron.daily</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/anacrontab" id="oval:org.open-scap.f14:obj:20213" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>anacrontab</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.weekly" id="oval:org.open-scap.f14:obj:20226" version="1">
>          <unix-def:path>/etc/cron.weekly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.monthly" id="oval:org.open-scap.f14:obj:20227" version="1">
>          <unix-def:path>/etc/cron.monthly</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.daily" id="oval:org.open-scap.f14:obj:20215" version="1">
>          <unix-def:path>/etc/cron.daily</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/cron.d" id="oval:org.open-scap.f14:obj:20228" version="1">
>          <unix-def:behaviors recurse="symlinks and directories"/>
>          <unix-def:path>/etc/cron.d</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/spool/cron" id="oval:org.open-scap.f14:obj:20229" version="1">
>          <unix-def:path>/var/spool/cron</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/spool/cron" id="oval:org.open-scap.f14:obj:20232" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>cron.deny</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/at.deny" id="oval:org.open-scap.f14:obj:20233" version="1">
>          <unix-def:path>/etc</unix-def:path>
>          <unix-def:filename>at.deny</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20234" version="1">
>          <unix-def:service_name>sshd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20235" version="1">
>          <lin-def:name>openssh-server</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20236" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>iptables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*-A[[:space:]]+.*INPUT[[:space:]]+-m[[:space:]]+state[[:space:]]+--state[[:space:]]+NEW[[:space:]]+-m[[:space:]]+tcp[[:space:]]+-p[[:space:]]+tcp[[:space:]]+--dport[[:space:]]+22[[:space:]]+-j[[:space:]]+ACCEPT[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20237" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>ip6tables</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*-A[[:space:]]+.*INPUT[[:space:]]+-m[[:space:]]+state[[:space:]]+--state[[:space:]]+NEW[[:space:]]+-m[[:space:]]+tcp[[:space:]]+-p[[:space:]]+tcp[[:space:]]+--dport[[:space:]]+22[[:space:]]+-j[[:space:]]+ACCEPT[[:space:]]*$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20238" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*Protocol[[:space:]](2)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20239" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ClientAliveInterval[[:space:]]*([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20240" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ClientAliveCountMax[[:space:]]*([[:digit:]]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20241" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*IgnoreRhosts[[:space:]]*yes</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20242" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*HostbasedAuthentication[[:space:]]*no</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20243" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*PermitRootLogin[[:space:]]*no</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20244" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*PermitEmptyPasswords[[:space:]]*no</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20245" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*Banner[[:space:]]+/etc/issue$</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:202455" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*PermitUserEnvironment[[:space:]]+no</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:202456" version="1">
>          <ind-def:path>/etc/ssh</ind-def:path>
>          <ind-def:filename>sshd_config</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*Ciphers[[:space:]]+([^ \t\r\n\v\f]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20246" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>inittab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*id:([^:]*):initdefault:</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20248" version="1">
>          <ind-def:path>/etc/X11/xinit</ind-def:path>
>          <ind-def:filename>xserverrc</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*exec\sX\s:0\s\-nolisten\stcp\s\$@</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20249" version="1">
>          <ind-def:path>/etc/gdm</ind-def:path>
>          <ind-def:filename>custom.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*InfoMsgFile[\s]*=[\s]*/etc/issue</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20250" version="1">
>          <unix-def:service_name>avahi-daemon</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20253" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">check-response-ttl[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20254" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">disallow-other-stacks[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20255" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">disable-publishing[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20256" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">disable-user-service-publishing[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20257" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">publish-hinfo[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20258" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">publish-workstation[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20259" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">publish-addresses[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20260" version="1">
>          <ind-def:path>/etc/avahi</ind-def:path>
>          <ind-def:filename>avahi-daemon.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">publish-domain[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20261" version="1">
>          <unix-def:service_name>cups</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20264" version="1">
>          <ind-def:path>/etc/cups</ind-def:path>
>          <ind-def:filename>cupsd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">Browsing[\s]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20265" version="1">
>          <ind-def:path>/etc/cups</ind-def:path>
>          <ind-def:filename>cupsd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">BrowseAllow[\s]+none</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20266" version="1">
>          <unix-def:service_name>hplip</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20267" version="1">
>          <ind-def:path>/etc/sysconfig/network-scripts</ind-def:path>
>          <ind-def:filename operation="pattern match">ifcfg-eth.*</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*BOOTPROTO[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:variable_object id="oval:org.open-scap.f14:obj:256" version="1">
>          <ind-def:var_ref>oval:org.open-scap.f14:var:20267</ind-def:var_ref>
>        </ind-def:variable_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20268" version="1">
>          <unix-def:service_name>dhcpd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20269" version="1">
>          <lin-def:name>dhcp</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20270" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">ddns-update-style[\s]+none;</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20271" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">deny[\s]+declines;</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20272" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">deny[\s]+bootp;</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:267" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+domain-name-servers</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:269" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+routers</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:271" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+domain-name</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:273" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+nis-domain</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:275" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+nis-servers</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:277" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+time-offset</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:279" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dhcpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">option[\s]+ntp-servers</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20280" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>syslog.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">daemon\.\*[\s]+/var/log/daemon\.log</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20281" version="1">
>          <unix-def:service_name>ntpd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20282" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>ntp.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">restrict[\s]+default[\s]+ignore</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20285" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>rc.local</ind-def:filename>
>          <ind-def:pattern operation="pattern match">/usr/local/sbin/ntpd -s</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20287" version="1">
>          <unix-def:service_name>sendmail</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20288" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>sendmail</ind-def:filename>
>          <ind-def:pattern operation="pattern match">DAEMON[\s]*=[\s]*yes</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:202885" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>ldap.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*tls_checkpeer[\s]+yes</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20289" version="1">
>          <unix-def:service_name>ldap</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:file_object comment="/var/lib/ldap/.*" id="oval:org.open-scap.f14:obj:20290" version="1">
>          <unix-def:path>/var/lib/ldap</unix-def:path>
>          <unix-def:filename operation="pattern match">.*</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/lib/ldap/.*" id="oval:org.open-scap.f14:obj:20291" version="1">
>          <unix-def:path>/var/lib/ldap</unix-def:path>
>          <unix-def:filename operation="pattern match">.*</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20292" version="1">
>          <unix-def:service_name>nfslock</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20293" version="1">
>          <unix-def:service_name>rpcgssd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20294" version="1">
>          <unix-def:service_name>rpcidmapd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20295" version="1">
>          <unix-def:service_name>netfs</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20296" version="1">
>          <unix-def:service_name>portmap</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20297" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">LOCKD_TCPPORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20298" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">STATD_OUTGOING_PORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20299" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">STATD_PORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20300" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">LOCKD_UDPPORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20301" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">MOUNTD_PORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20302" version="1">
>          <ind-def:path>/etc/sysconfig</ind-def:path>
>          <ind-def:filename>nfs</ind-def:filename>
>          <ind-def:pattern operation="pattern match">RQUOTAD_PORT[\s]*=[\s]*[0-9]</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20303" version="1">
>          <unix-def:service_name>nfs</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20304" version="1">
>          <unix-def:service_name>rpcsvcgssd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20308" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>exports</ind-def:filename>
>          <ind-def:pattern operation="pattern match">no_root_squash</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20309" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>exports</ind-def:filename>
>          <ind-def:pattern operation="pattern match">insecure</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20310" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>exports</ind-def:filename>
>          <ind-def:pattern operation="pattern match">rw</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20311" version="1">
>          <unix-def:service_name>named</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20312" version="1">
>          <lin-def:name>bind</lin-def:name>
>        </lin-def:rpminfo_object>
>        <unix-def:file_object comment="/var/named/chroot/etc/named.conf" id="oval:org.open-scap.f14:obj:20313" version="1">
>          <unix-def:path>/var/named/chroot/etc</unix-def:path>
>          <unix-def:filename>named.conf</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/named/chroot/etc/named.conf" id="oval:org.open-scap.f14:obj:20315" version="1">
>          <unix-def:path>/var/named/chroot/etc</unix-def:path>
>          <unix-def:filename>named.conf</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/named/chroot/etc/named.conf" id="oval:org.open-scap.f14:obj:20314" version="1">
>          <unix-def:path>/var/named/chroot/etc</unix-def:path>
>          <unix-def:filename>named.conf</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20317" version="1">
>          <unix-def:service_name>vsftpd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:203175" version="1">
>          <lin-def:name>vsftpd</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20319" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>vsftpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">banner_file[\s]*=[\s]*/etc/issue</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:340" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>vsftpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">local_enable[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:341" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>vsftpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">write_enable[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20322" version="1">
>          <unix-def:service_name>httpd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20323" version="1">
>          <lin-def:name>httpd</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20324" version="1">
>          <ind-def:path>/etc/httpd/conf</ind-def:path>
>          <ind-def:filename>httpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">ServerTokens[\s]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20325" version="1">
>          <ind-def:path>/etc/httpd/conf</ind-def:path>
>          <ind-def:filename>httpd.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">ServerSignature[\s]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:file_object comment="/etc/httpd/conf" id="oval:org.open-scap.f14:obj:20326" version="1">
>          <unix-def:path>/etc/httpd/conf</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/httpd/conf/.*" id="oval:org.open-scap.f14:obj:20327" version="1">
>          <unix-def:path>/etc/httpd/conf</unix-def:path>
>          <unix-def:filename operation="pattern match">.*</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/usr/sbin/httpd" id="oval:org.open-scap.f14:obj:20328" version="1">
>          <unix-def:path>/usr/sbin</unix-def:path>
>          <unix-def:filename>httpd</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/etc/httpd/conf/.*" id="oval:org.open-scap.f14:obj:20329" version="1">
>          <unix-def:path>/etc/httpd/conf</unix-def:path>
>          <unix-def:filename operation="pattern match">.*</unix-def:filename>
>        </unix-def:file_object>
>        <unix-def:file_object comment="/var/log/httpd" id="oval:org.open-scap.f14:obj:20330" version="1">
>          <unix-def:path>/var/log/httpd</unix-def:path>
>          <unix-def:filename xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:nil="true"/>
>        </unix-def:file_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20331" version="1">
>          <unix-def:service_name>dovecot</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20332" version="1">
>          <lin-def:name>dovecot</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20333" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">protocols[\s]*=.*imaps</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20334" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">protocols[\s]*=.*pop3s</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20335" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">protocols[\s]*=.*pop3</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20336" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">protocols[\s]*=.*imap</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20337" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">disable_plaintext_auth[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20338" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">mail_drop_priv_before_exec[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20339" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>dovecot.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">login_process_per_connection[\s]*=[\s]*([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20340" version="1">
>          <unix-def:service_name>smb</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:203403" version="1">
>          <ind-def:path>/etc/samba</ind-def:path>
>          <ind-def:filename>smb.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*guest[\s]+ok[\s]*=[\s]yes</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:2034010" version="1">
>          <ind-def:path>/etc/samba</ind-def:path>
>          <ind-def:filename>smb.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*client[\s]+signing[\s]*=[\s]mandatory</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20340111" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>fstab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*[\S]+[\s]+[\S]+[\s]+([\S]+)[\s]+([\S]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20340112" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>mtab</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[\s]*[\S]+[\s]+[\S]+[\s]+([\S]+)[\s]+([\S]+)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20341" version="1">
>          <unix-def:service_name>squid</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20342" version="1">
>          <lin-def:name>squid</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20343" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ftp_passive[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20346" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*request_header_max_size[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20345" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*check_hostnames[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20350" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ignore_unknown_nameservers[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20347" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*reply_header_max_size[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20348" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*cache_effective_user[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20344" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*ftp_sanitycheck[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20349" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*cache_effective_group[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20353" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*forwarded_for[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20354" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*log_mime_hdrs[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20351" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*allow_underscore[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object id="oval:org.open-scap.f14:obj:20352" version="1">
>          <ind-def:path>/etc/squid</ind-def:path>
>          <ind-def:filename>squid.conf</ind-def:filename>
>          <ind-def:pattern operation="pattern match">^[[:space:]]*httpd_suppress_version_string[[:space:]]+([^#]*)</ind-def:pattern>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <unix-def:runlevel_object id="oval:org.open-scap.f14:obj:20365" version="1">
>          <unix-def:service_name>snmpd</unix-def:service_name>
>          <unix-def:runlevel operation="pattern match">.*</unix-def:runlevel>
>        </unix-def:runlevel_object>
>        <lin-def:rpminfo_object id="oval:org.open-scap.f14:obj:20366" version="1">
>          <lin-def:name>net-snmp</lin-def:name>
>        </lin-def:rpminfo_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:202081" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:202081"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:202111" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:202111"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:202141" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:202141"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:202291" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:202291"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:202301" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:202301"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:200811" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:200811"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>        <ind-def:textfilecontent54_object comment="Get group ID" id="oval:org.open-scap.f14:obj:201501" version="1">
>          <ind-def:path>/etc</ind-def:path>
>          <ind-def:filename>group</ind-def:filename>
>          <ind-def:pattern operation="pattern match" var_ref="oval:org.open-scap.f14:var:201501"/>
>          <ind-def:instance datatype="int">1</ind-def:instance>
>        </ind-def:textfilecontent54_object>
>      </objects>
>      <states>
>        <ind-def:textfilecontent54_state comment="/tmp mount point is defined" id="oval:org.open-scap.f14:ste:20000" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="equals">/tmp</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="/var mount point is defined" id="oval:org.open-scap.f14:ste:20002" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="equals">/var</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="/var/log mount point is defined" id="oval:org.open-scap.f14:ste:20004" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="equals">/var/log</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="/var/log/audit mount point is defined" id="oval:org.open-scap.f14:ste:20005" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="equals">/var/log/audit</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="/home mount point is defined" id="oval:org.open-scap.f14:ste:20006" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="equals">/home</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Expected value of gpgcheck should be enabled" id="oval:org.open-scap.f14:ste:20010" version="1">
>          <ind-def:instance datatype="int">1</ind-def:instance>
>          <ind-def:subexpression datatype="int" entity_check="all" operation="equals">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Expected value of gpgcheck should be disabled because test is none exist" id="oval:org.open-scap.f14:ste:20011" version="1">
>          <ind-def:subexpression datatype="int" entity_check="all" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Expected value of repo_gpgcheck should be enabled" id="oval:org.open-scap.f14:ste:20012" version="1">
>          <ind-def:subexpression datatype="int" entity_check="all" operation="equals">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Expected value of repo_gpgcheck should be disabled because test is none exist" id="oval:org.open-scap.f14:ste:20013" version="1">
>          <ind-def:subexpression datatype="int" entity_check="all" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="ext2 and ext3 filing systems" id="oval:org.open-scap.f14:ste:200161" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all" operation="pattern match">.*,nodev.*</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <lin-def:rpminfo_state id="oval:org.open-scap.f14:ste:10000" version="1">
>          <lin-def:version operation="pattern match">^5[^\d]</lin-def:version>
>        </lin-def:rpminfo_state>
>        <lin-def:rpminfo_state id="oval:org.open-scap.f14:ste:200065" version="1">
>          <lin-def:release>4c49d6fe</lin-def:release>
>          <lin-def:version>97a1071f</lin-def:version>
>        </lin-def:rpminfo_state>
>        <lin-def:rpminfo_state id="oval:org.open-scap.f14:ste:11000" version="1">
>          <lin-def:release operation="pattern match">^5\.[2-9]</lin-def:release>
>        </lin-def:rpminfo_state>
>        <ind-def:family_state id="oval:org.open-scap.f14:ste:10001" version="1">
>          <ind-def:family>unix</ind-def:family>
>        </ind-def:family_state>
>        <ind-def:xmlfilecontent_state id="oval:org.open-scap.f14:ste:20026" version="1">
>          <ind-def:value_of operation="equals">false</ind-def:value_of>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:textfilecontent54_state comment="Check for the usb_storage module" id="oval:org.open-scap.f14:ste:20021" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">usb_storage</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the cramfs file system" id="oval:org.open-scap.f14:ste:20027" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">cramfs</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the freevxfs file system" id="oval:org.open-scap.f14:ste:20028" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">freevxfs</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the jffs2 file system" id="oval:org.open-scap.f14:ste:20029" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">jffs2</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the hfs file system" id="oval:org.open-scap.f14:ste:20030" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">hfs</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the hfsplus file system" id="oval:org.open-scap.f14:ste:20031" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">hfsplus</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the squashfs file system" id="oval:org.open-scap.f14:ste:20032" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">squashfs</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="Check for the udf file system" id="oval:org.open-scap.f14:ste:20033" version="1">
>          <ind-def:subexpression datatype="string" entity_check="all">udf</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20034" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20035" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20042" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:1"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:2"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:3"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:4"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:5"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:6"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:7"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:8"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:9"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20036" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20037" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20043" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:10"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:11"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:12"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:13"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:14"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:15"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:16"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:17"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:18"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20038" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20039" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20044" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:19"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:20"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:21"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:22"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:23"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:24"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:25"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:26"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:27"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20040" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20041" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20045" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:28"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:29"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:30"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:31"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:32"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:33"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:34"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:35"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:36"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20046" version="1">
>          <unix-def:sticky datatype="boolean">1</unix-def:sticky>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200462" version="1">
>          <unix-def:owrite datatype="boolean">0</unix-def:owrite>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200471" version="1">
>          <unix-def:owrite datatype="boolean">0</unix-def:owrite>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200472" version="1">
>          <unix-def:type datatype="string" operation="not equal">regular</unix-def:type>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200481" operator="OR" version="1">
>          <unix-def:type operation="not equal">regular</unix-def:type>
>          <unix-def:sgid datatype="boolean">0</unix-def:sgid>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200482" version="1">
>          <unix-def:path>/sbin</unix-def:path>
>          <unix-def:filename>netreport</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200483" version="1">
>          <unix-def:path>/var/cache/jwhois</unix-def:path>
>          <unix-def:filename>jwhois.db</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200484" version="1">
>          <unix-def:path>/usr/sbin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:200484"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200485" version="1">
>          <unix-def:path>/usr/bin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:200485"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200486" version="1">
>          <unix-def:path>/usr/libexec/utempter</unix-def:path>
>          <unix-def:filename>utempter</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200487" version="1">
>          <unix-def:path>/usr/lib/vte</unix-def:path>
>          <unix-def:filename>gnome-pty-helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200488" version="1">
>          <unix-def:path>/usr/lib64/vte</unix-def:path>
>          <unix-def:filename>gnome-pty-helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004901" operator="OR" version="1">
>          <unix-def:type operation="not equal">regular</unix-def:type>
>          <unix-def:suid datatype="boolean">0</unix-def:suid>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004902" version="1">
>          <unix-def:path>/bin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:2004902"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004903" version="1">
>          <unix-def:path>/lib/dbus-1</unix-def:path>
>          <unix-def:filename>dbus-daemon-launch-helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004904" version="1">
>          <unix-def:path>/lib64/dbus-1</unix-def:path>
>          <unix-def:filename>dbus-daemon-launch-helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004905" version="1">
>          <unix-def:path>/sbin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:2004905"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004906" version="1">
>          <unix-def:path>/usr/bin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:2004906"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004907" version="1">
>          <unix-def:path>/usr/lib/nspluginwrapper</unix-def:path>
>          <unix-def:filename>plugin-config</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004908" version="1">
>          <unix-def:path>/usr/lib64/nspluginwrapper</unix-def:path>
>          <unix-def:filename>plugin-config</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004909" version="1">
>          <unix-def:path>/usr/libexec/kde4</unix-def:path>
>          <unix-def:filename>kpac_dhcp_helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004910" version="1">
>          <unix-def:path>/usr/libexec/news</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:2004910"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004911" version="1">
>          <unix-def:path>/usr/libexec/openssh</unix-def:path>
>          <unix-def:filename>ssh-keysign</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004912" version="1">
>          <unix-def:path>/usr/libexec/polkit-1</unix-def:path>
>          <unix-def:filename>polkit-agent-helper-1</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004913" version="1">
>          <unix-def:path>/usr/libexec</unix-def:path>
>          <unix-def:filename>pt_chown</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004914" version="1">
>          <unix-def:path>/usr/libexec/pulse</unix-def:path>
>          <unix-def:filename>proximity-helper</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004915" version="1">
>          <unix-def:path>/usr/sbin</unix-def:path>
>          <unix-def:filename var_check="at least one" var_ref="oval:org.open-scap.f14:var:2004915"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:2004916" version="1">
>          <unix-def:path>/usr/share/BackupPC/sbin</unix-def:path>
>          <unix-def:filename>BackupPC_Admin</unix-def:filename>
>        </unix-def:file_state>
>        <unix-def:file_state comment="Files with a valid user id assigned" id="oval:org.open-scap.f14:ste:20050" version="1">
>          <unix-def:user_id datatype="int" var_check="at least one" var_ref="oval:org.open-scap.f14:var:20050"/>
>        </unix-def:file_state>
>        <unix-def:file_state comment="Files with a valid group id assigned" id="oval:org.open-scap.f14:ste:20051" version="1">
>          <unix-def:group_id datatype="int" var_check="at least one" var_ref="oval:org.open-scap.f14:var:20051"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20052" operator="OR" version="1">
>          <unix-def:group_id datatype="int" operation="less than">500</unix-def:group_id>
>          <unix-def:owrite datatype="boolean">0</unix-def:owrite>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20053" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20053"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20055" version="1">
>          <ind-def:subexpression operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20056" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20058" version="1">
>          <ind-def:subexpression datatype="int" operation="greater than or equal">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20057" version="1">
>          <ind-def:subexpression datatype="int" operation="greater than or equal">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <unix-def:password_state id="oval:org.open-scap.f14:ste:20068" version="1">
>          <unix-def:user_id datatype="int" operation="less than">500</unix-def:user_id>
>          <unix-def:login_shell operation="not equal">/sbin/nologin</unix-def:login_shell>
>        </unix-def:password_state>
>        <unix-def:password_state id="oval:org.open-scap.f14:ste:200695" version="1">
>          <unix-def:password>x</unix-def:password>
>        </unix-def:password_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20071" version="1">
>          <ind-def:subexpression datatype="int" operation="greater than or equal" var_check="all" var_ref="oval:org.open-scap.f14:var:20071"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20072" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20072"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20073" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20073"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20074" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20074"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="retry" id="oval:org.open-scap.f14:ste:200781" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200781"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="minlen" id="oval:org.open-scap.f14:ste:200782" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200782"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="dcredit" id="oval:org.open-scap.f14:ste:200783" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200783"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="ucredit" id="oval:org.open-scap.f14:ste:200784" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200784"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="ocredit" id="oval:org.open-scap.f14:ste:200785" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200785"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="lcredit" id="oval:org.open-scap.f14:ste:200786" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200786"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="difok" id="oval:org.open-scap.f14:ste:200787" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:200787"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:variable_state comment="expected value of unlock_time" id="oval:org.open-scap.f14:ste:200800" version="1">
>          <ind-def:value>0</ind-def:value>
>        </ind-def:variable_state>
>        <ind-def:textfilecontent54_state comment="deny" id="oval:org.open-scap.f14:ste:2008011" version="1">
>          <ind-def:subexpression datatype="int" var_check="all" var_ref="oval:org.open-scap.f14:var:200801"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="lock_time" id="oval:org.open-scap.f14:ste:2008012" version="1">
>          <ind-def:subexpression datatype="int" var_check="all" var_ref="oval:org.open-scap.f14:var:200802"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="unlock_time" id="oval:org.open-scap.f14:ste:2008013" version="1">
>          <ind-def:subexpression datatype="int" var_check="all" var_ref="oval:org.open-scap.f14:var:200803"/>
>        </ind-def:textfilecontent54_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20081" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:200812"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20082" version="1">
>          <unix-def:suid datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200820"/>
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200821"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200822"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200823"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200824"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200825"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200826"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200827"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200828"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:200829"/>
>        </unix-def:file_state>
>        <ind-def:variable_state comment="hashing algorithm is md5" id="oval:org.open-scap.f14:ste:200831" version="1">
>          <ind-def:value>md5</ind-def:value>
>        </ind-def:variable_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:200832" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:200833" version="1">
>          <ind-def:subexpression operation="case insensitive equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20083"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:variable_state comment="remember is set to 0" id="oval:org.open-scap.f14:ste:200841" version="1">
>          <ind-def:value datatype="string">0</ind-def:value>
>        </ind-def:variable_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:200842" version="1">
>          <ind-def:subexpression datatype="string" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20084"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:environmentvariable_state comment="starts with . or :" id="oval:org.open-scap.f14:ste:200851" version="1">
>          <ind-def:value operation="pattern match">^:|^\.</ind-def:value>
>        </ind-def:environmentvariable_state>
>        <ind-def:environmentvariable_state comment="ends with . or :" id="oval:org.open-scap.f14:ste:200852" version="1">
>          <ind-def:value operation="pattern match">:$|\.$</ind-def:value>
>        </ind-def:environmentvariable_state>
>        <ind-def:environmentvariable_state comment="contains :.: or ::" id="oval:org.open-scap.f14:ste:200853" version="1">
>          <ind-def:value operation="pattern match">:\.:|::</ind-def:value>
>        </ind-def:environmentvariable_state>
>        <unix-def:file_state comment="Group has NO write privilege" id="oval:org.open-scap.f14:ste:2008551" version="1">
>          <unix-def:gwrite datatype="boolean">0</unix-def:gwrite>
>          <unix-def:owrite datatype="boolean">0</unix-def:owrite>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200861" version="1">
>          <unix-def:path datatype="string" operation="not equal">/home</unix-def:path>
>          <unix-def:gwrite datatype="boolean">1</unix-def:gwrite>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:200862" version="1">
>          <unix-def:path datatype="string" operation="not equal">/home</unix-def:path>
>          <unix-def:oread datatype="boolean">1</unix-def:oread>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20087" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20087"/>
>        </ind-def:textfilecontent54_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20092" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20094" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:37"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:38"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:39"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:40"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:41"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:42"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:43"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:44"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:45"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20093" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20097" version="1">
>          <ind-def:subexpression>no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20098" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20098"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:xmlfilecontent_state comment="idle_delay (time before activation in minutes)" id="oval:org.open-scap.f14:ste:20100" version="1">
>          <ind-def:value_of datatype="int" var_check="all" var_ref="oval:org.open-scap.f14:var:20098"/>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:xmlfilecontent_state comment="idle_activation_enabled (Activation when idle)" id="oval:org.open-scap.f14:ste:201005" version="1">
>          <ind-def:value_of datatype="boolean" var_check="all">true</ind-def:value_of>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:xmlfilecontent_state comment="lock_enabled (lock on Activation)" id="oval:org.open-scap.f14:ste:201006" version="1">
>          <ind-def:value_of datatype="boolean" var_check="all">true</ind-def:value_of>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:xmlfilecontent_state comment="mode (Screensaver theme selection mode)" id="oval:org.open-scap.f14:ste:201007" version="1">
>          <ind-def:value_of datatype="string" var_check="all">blank-only</ind-def:value_of>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20102" version="1">
>          <ind-def:subexpression var_check="all" var_ref="oval:org.open-scap.f14:var:20102"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:xmlfilecontent_state comment="Logon banner" id="oval:org.open-scap.f14:ste:20103" version="1">
>          <ind-def:value_of var_check="all" var_ref="oval:org.open-scap.f14:var:20102"/>
>        </ind-def:xmlfilecontent_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20104" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20105" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20106" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20106"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20107" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20107"/>
>        </ind-def:textfilecontent54_state>
>        <unix-def:runlevel_state id="oval:org.open-scap.f14:ste:20111" version="1">
>          <unix-def:start datatype="boolean">false</unix-def:start>
>          <unix-def:kill datatype="boolean">true</unix-def:kill>
>        </unix-def:runlevel_state>
>        <unix-def:runlevel_state comment="Define state of disableed service" id="oval:org.open-scap.f14:ste:20171" version="1">
>          <unix-def:start datatype="boolean">false</unix-def:start>
>          <unix-def:kill datatype="boolean">true</unix-def:kill>
>        </unix-def:runlevel_state>
>        <unix-def:runlevel_state comment="Define state of enabled service" id="oval:org.open-scap.f14:ste:20172" version="1">
>          <unix-def:runlevel operation="pattern match">^[2345]$</unix-def:runlevel>
>          <unix-def:start datatype="boolean">true</unix-def:start>
>        </unix-def:runlevel_state>
>        
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:201120" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:201121" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">1</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20113" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20114" version="1">
>          <ind-def:subexpression datatype="int" operation="equals">0</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20117" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20117"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20116" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20116"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20123" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20123"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20124" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20124"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20122" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20122"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20120" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20120"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20125" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20125"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20121" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20121"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20118" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20118"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20126" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20126"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20119" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20119"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20115" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20115"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20132" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20133" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20131" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20134" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20134"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20140" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20140"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20145" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20145"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20139" version="1">
>          <ind-def:subexpression operation="equals" var_check="at least one" var_ref="oval:org.open-scap.f14:var:20139"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20144" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20144"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20143" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20143"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20141" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20141"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20142" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20142"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:201745" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <unix-def:runlevel_state comment="Starts at runlevel 3 or 5 (with network)" id="oval:org.open-scap.f14:ste:20146" version="1">
>          <unix-def:runlevel operation="pattern match">^[35]$</unix-def:runlevel>
>          <unix-def:start datatype="boolean" operation="equals">true</unix-def:start>
>        </unix-def:runlevel_state>
>        <unix-def:runlevel_state comment="Starts at runlevel 2, 3, 4 or 5" id="oval:org.open-scap.f14:ste:20148" version="1">
>          <unix-def:runlevel operation="pattern match">^[2345]$</unix-def:runlevel>
>          <unix-def:start datatype="boolean" operation="equals">true</unix-def:start>
>        </unix-def:runlevel_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20149" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:201491"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20150" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:201502"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20151" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201510"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201511"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201512"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201513"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201514"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201515"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201516"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201517"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:201518"/>
>        </unix-def:file_state>
>        <unix-def:runlevel_state id="oval:org.open-scap.f14:ste:20156" version="1">
>          <unix-def:start datatype="boolean">true</unix-def:start>
>          <unix-def:kill datatype="boolean">false</unix-def:kill>
>        </unix-def:runlevel_state>
>        <unix-def:uname_state id="oval:org.open-scap.f14:ste:201670" version="1">
>          <unix-def:processor_type operation="pattern match">^i386$|^i686$</unix-def:processor_type>
>        </unix-def:uname_state>
>        <unix-def:uname_state id="oval:org.open-scap.f14:ste:201672" version="1">
>          <unix-def:processor_type operation="pattern match">^x86_64$|^ia64$|</unix-def:processor_type>
>        </unix-def:uname_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20217" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202142"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20225" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:46"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:47"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:48"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:49"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:50"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:51"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:52"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:53"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:54"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20216" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202142"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20209" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202091"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20212" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202121"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20210" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:55"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:56"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:57"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:58"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:59"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:60"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:61"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:62"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:63"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20214" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202142"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20222" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202191"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20218" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202142"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20223" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202191"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20221" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202191"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20211" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202112"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20224" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:64"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:65"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:66"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:67"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:68"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:69"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:70"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:71"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:72"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20219" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202191"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20208" version="1">
>          <unix-def:group_id datatype="int" var_check="all" var_ref="oval:org.open-scap.f14:var:202082"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20220" version="1">
>          <unix-def:user_id datatype="int" var_ref="oval:org.open-scap.f14:var:202191"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20213" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:73"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:74"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:75"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:76"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:77"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:78"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:79"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:80"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:81"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20226" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:82"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:83"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:84"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:85"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:86"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:87"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:88"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:89"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:90"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20227" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:91"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:92"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:93"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:94"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:95"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:96"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:97"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:98"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:99"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20215" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202142"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20228" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:100"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:101"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:102"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:103"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:104"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:105"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:106"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:107"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:108"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20229" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202292"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20230" version="1">
>          <unix-def:group_id datatype="int" var_ref="oval:org.open-scap.f14:var:202302"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20231" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:160"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:161"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:162"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:163"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:164"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:165"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:166"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:167"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:168"/>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:86" version="1">
>          <ind-def:subexpression datatype="int" operation="pattern match" var_check="all" var_ref="oval:org.open-scap.f14:var:20239"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:87" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20246"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state comment="ClientAliveInterval in seconds" id="oval:org.open-scap.f14:ste:20239" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20239"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20240" version="1">
>          <ind-def:subexpression datatype="int" operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20240"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:202456" version="1">
>          <ind-def:subexpression operation="equals">aes128-ctr,aes192-ctr,aes256-ctr</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20253" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20254" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20255" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20256" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20257" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20258" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20259" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20260" version="1">
>          <ind-def:subexpression operation="equals">no</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20264" version="1">
>          <ind-def:subexpression operation="equals">off</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20290" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20291" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20313" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20315" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:109"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:110"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:111"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:112"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:113"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:114"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:115"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:116"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:117"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20314" version="1">
>          <unix-def:user_id datatype="int">0</unix-def:user_id>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20324" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20324"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20325" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20325"/>
>        </ind-def:textfilecontent54_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20326" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:118"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:119"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:120"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:121"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:122"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:123"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:124"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:125"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:126"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20327" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:127"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:128"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:129"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:130"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:131"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:132"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:133"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:134"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:135"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20328" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:136"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:137"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:138"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:139"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:140"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:141"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:142"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:143"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:144"/>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20329" version="1">
>          <unix-def:group_id datatype="int">0</unix-def:group_id>
>        </unix-def:file_state>
>        <unix-def:file_state id="oval:org.open-scap.f14:ste:20330" version="1">
>          <unix-def:uread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:145"/>
>          <unix-def:uwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:146"/>
>          <unix-def:uexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:147"/>
>          <unix-def:gread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:148"/>
>          <unix-def:gwrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:149"/>
>          <unix-def:gexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:150"/>
>          <unix-def:oread datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:151"/>
>          <unix-def:owrite datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:152"/>
>          <unix-def:oexec datatype="boolean" var_check="all" var_ref="oval:org.open-scap.f14:var:153"/>
>        </unix-def:file_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20337" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20338" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20339" version="1">
>          <ind-def:subexpression operation="equals">yes</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20340111" version="1">
>          <ind-def:instance datatype="int">1</ind-def:instance>
>          <ind-def:subexpression operation="not equal">cifs</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20340112" version="1">
>          <ind-def:instance datatype="int">2</ind-def:instance>
>          <ind-def:subexpression operation="pattern match">sec=(krb5i|ntlmv2i)</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20343" version="1">
>          <ind-def:subexpression operation="equals">on</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20346" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20346"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20345" version="1">
>          <ind-def:subexpression operation="equals">on</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20350" version="1">
>          <ind-def:subexpression operation="equals">on</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20347" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20347"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20348" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20348"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20344" version="1">
>          <ind-def:subexpression operation="equals">on</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20349" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20349"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20353" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20353"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20354" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20354"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20351" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20351"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20352" version="1">
>          <ind-def:subexpression operation="equals" var_check="all" var_ref="oval:org.open-scap.f14:var:20352"/>
>        </ind-def:textfilecontent54_state>
>        <ind-def:textfilecontent54_state id="oval:org.open-scap.f14:ste:20070" version="1">
>          <ind-def:subexpression operation="equals">root</ind-def:subexpression>
>        </ind-def:textfilecontent54_state>
>      </states>
>      <variables>
>        <external_variable comment="External variable for definition 20042" datatype="string" id="oval:org.open-scap.f14:var:20042" version="1"/>
>        <external_variable comment="External variable for definition 20043" datatype="string" id="oval:org.open-scap.f14:var:20043" version="1"/>
>        <external_variable comment="External variable for definition 20044" datatype="string" id="oval:org.open-scap.f14:var:20044" version="1"/>
>        <external_variable comment="External variable for definition 20045" datatype="string" id="oval:org.open-scap.f14:var:20045" version="1"/>
>        <external_variable comment="External variable for definition 20053" datatype="int" id="oval:org.open-scap.f14:var:20053" version="1"/>
>        <external_variable comment="External variable for definition 20071" datatype="int" id="oval:org.open-scap.f14:var:20071" version="1"/>
>        
>        <external_variable comment="External variable for definition 20072" datatype="string" id="oval:org.open-scap.f14:var:20072" version="1"/>
>        <external_variable comment="External variable for definition 20073" datatype="string" id="oval:org.open-scap.f14:var:20073" version="1"/>
>        <external_variable comment="External variable for definition 20074" datatype="string" id="oval:org.open-scap.f14:var:20074" version="1"/>
>        <external_variable comment="External variable for definition 200781" datatype="int" id="oval:org.open-scap.f14:var:200781" version="1"/>
>        <external_variable comment="External variable for definition 200782" datatype="int" id="oval:org.open-scap.f14:var:200782" version="1"/>
>        <external_variable comment="External variable for definition 200783" datatype="int" id="oval:org.open-scap.f14:var:200783" version="1"/>
>        <external_variable comment="External variable for definition 200784" datatype="int" id="oval:org.open-scap.f14:var:200784" version="1"/>
>        <external_variable comment="External variable for definition 200785" datatype="int" id="oval:org.open-scap.f14:var:200785" version="1"/>
>        <external_variable comment="External variable for definition 200786" datatype="int" id="oval:org.open-scap.f14:var:200786" version="1"/>
>        <external_variable comment="External variable for definition 200787" datatype="int" id="oval:org.open-scap.f14:var:200787" version="1"/>
>        <external_variable comment="External variable for definition 20080 deny" datatype="int" id="oval:org.open-scap.f14:var:200801" version="1"/>
>        <external_variable comment="External variable for definition 20080 lock_time" datatype="int" id="oval:org.open-scap.f14:var:200802" version="1"/>
>        <external_variable comment="External variable for definition 20080 unlock_time" datatype="int" id="oval:org.open-scap.f14:var:200803" version="1"/>
>        <external_variable comment="External variable for definition 20081" datatype="string" id="oval:org.open-scap.f14:var:20081" version="1"/>
>        <external_variable comment="External variable for definition 20082" datatype="string" id="oval:org.open-scap.f14:var:20082" version="1"/>
>        <external_variable comment="External variable for definition 20083 Password hashing algorithm" datatype="string" id="oval:org.open-scap.f14:var:20083" version="1"/>
>        <external_variable comment="External variable for definition 20084 number of passwords to remember" datatype="string" id="oval:org.open-scap.f14:var:20084" version="1"/>
>        <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="oval:org.open-scap.f14:var:20087" version="1"/>
>        <external_variable comment="External variable for definition 20092" datatype="string" id="oval:org.open-scap.f14:var:20092" version="1"/>
>        <external_variable comment="External variable for definition 20094" datatype="string" id="oval:org.open-scap.f14:var:20094" version="1"/>
>        <external_variable comment="External variable for definition 20093" datatype="string" id="oval:org.open-scap.f14:var:20093" version="1"/>
>        <external_variable comment="External variable for definitions 20098 20100" datatype="int" id="oval:org.open-scap.f14:var:20098" version="1"/>
>        <external_variable comment="External variable for definitions 20099" datatype="int" id="oval:org.open-scap.f14:var:20099" version="1"/>
>        
>        <external_variable comment="External variable for definitions 200102 20103 Warning Banner" datatype="string" id="oval:org.open-scap.f14:var:20102" version="1"/>
>        <external_variable comment="External variable for definition 20106" datatype="string" id="oval:org.open-scap.f14:var:20106" version="1"/>
>        <external_variable comment="External variable for definition 20107" datatype="string" id="oval:org.open-scap.f14:var:20107" version="1"/>
>        <external_variable comment="External variable for definition 20115" datatype="string" id="oval:org.open-scap.f14:var:20115" version="1"/>
>        <external_variable comment="External variable for definition 20116" datatype="string" id="oval:org.open-scap.f14:var:20116" version="1"/>
>        <external_variable comment="External variable for definition 20117" datatype="string" id="oval:org.open-scap.f14:var:20117" version="1"/>
>        <external_variable comment="External variable for definition 20118" datatype="string" id="oval:org.open-scap.f14:var:20118" version="1"/>
>        <external_variable comment="External variable for definition 20119" datatype="string" id="oval:org.open-scap.f14:var:20119" version="1"/>
>        <external_variable comment="External variable for definition 20120" datatype="string" id="oval:org.open-scap.f14:var:20120" version="1"/>
>        <external_variable comment="External variable for definition 20121" datatype="string" id="oval:org.open-scap.f14:var:20121" version="1"/>
>        <external_variable comment="External variable for definition 20122" datatype="string" id="oval:org.open-scap.f14:var:20122" version="1"/>
>        <external_variable comment="External variable for definition 20123" datatype="string" id="oval:org.open-scap.f14:var:20123" version="1"/>
>        <external_variable comment="External variable for definition 20124" datatype="string" id="oval:org.open-scap.f14:var:20124" version="1"/>
>        <external_variable comment="External variable for definition 20125" datatype="string" id="oval:org.open-scap.f14:var:20125" version="1"/>
>        <external_variable comment="External variable for definition 20126" datatype="string" id="oval:org.open-scap.f14:var:20126" version="1"/>
>        <external_variable comment="External variable for definition 20134" datatype="string" id="oval:org.open-scap.f14:var:20134" version="1"/>
>        <external_variable comment="External variable for definition 20135" datatype="string" id="oval:org.open-scap.f14:var:20135" version="1"/>
>        <external_variable comment="External variable for definition 20136" datatype="string" id="oval:org.open-scap.f14:var:20136" version="1"/>
>        <external_variable comment="External variable for definition 20137" datatype="string" id="oval:org.open-scap.f14:var:20137" version="1"/>
>        <external_variable comment="External variable for definition 20138" datatype="string" id="oval:org.open-scap.f14:var:20138" version="1"/>
>        <external_variable comment="External variable for definition 20139" datatype="string" id="oval:org.open-scap.f14:var:20139" version="1"/>
>        <external_variable comment="External variable for definition 20140" datatype="string" id="oval:org.open-scap.f14:var:20140" version="1"/>
>        <external_variable comment="External variable for definition 20141" datatype="string" id="oval:org.open-scap.f14:var:20141" version="1"/>
>        <external_variable comment="External variable for definition 20142" datatype="string" id="oval:org.open-scap.f14:var:20142" version="1"/>
>        <external_variable comment="External variable for definition 20143" datatype="string" id="oval:org.open-scap.f14:var:20143" version="1"/>
>        <external_variable comment="External variable for definition 20144" datatype="string" id="oval:org.open-scap.f14:var:20144" version="1"/>
>        <external_variable comment="External variable for definition 20145" datatype="string" id="oval:org.open-scap.f14:var:20145" version="1"/>
>        <external_variable comment="External variable for definition 20149" datatype="string" id="oval:org.open-scap.f14:var:20149" version="1"/>
>        <external_variable comment="External variable for definition 20150" datatype="string" id="oval:org.open-scap.f14:var:20150" version="1"/>
>        <external_variable comment="External variable for definition 20151" datatype="string" id="oval:org.open-scap.f14:var:20151" version="1"/>
>        <external_variable comment="External variable for definition 20208" datatype="string" id="oval:org.open-scap.f14:var:20208" version="1"/>
>        <external_variable comment="External variable for definition 20209" datatype="string" id="oval:org.open-scap.f14:var:20209" version="1"/>
>        <external_variable comment="External variable for definition 20210" datatype="string" id="oval:org.open-scap.f14:var:20210" version="1"/>
>        <external_variable comment="External variable for definition 20211" datatype="string" id="oval:org.open-scap.f14:var:20211" version="1"/>
>        <external_variable comment="External variable for definition 20212" datatype="string" id="oval:org.open-scap.f14:var:20212" version="1"/>
>        <external_variable comment="External variable for definition 20213" datatype="string" id="oval:org.open-scap.f14:var:20213" version="1"/>
>        <external_variable comment="External variable for definition 20214 20216 20217 20218" datatype="string" id="oval:org.open-scap.f14:var:20214" version="1"/>
>        <external_variable comment="External variable for definition 20219 20220 20221 20222 20223" datatype="string" id="oval:org.open-scap.f14:var:20219" version="1"/>
>        <external_variable comment="External variable for definition 20224 20225 20226 20227 20228" datatype="string" id="oval:org.open-scap.f14:var:20224" version="1"/>
>        <external_variable comment="External variable for definition 20229" datatype="string" id="oval:org.open-scap.f14:var:20229" version="1"/>
>        <external_variable comment="External variable for definition 20230" datatype="string" id="oval:org.open-scap.f14:var:20230" version="1"/>
>        <external_variable comment="External variable for definition 20231" datatype="string" id="oval:org.open-scap.f14:var:20231" version="1"/>
>        <external_variable comment="External variable for ClientActiveinterval in definition 20239" datatype="int" id="oval:org.open-scap.f14:var:20239" version="1"/>
>        <external_variable comment="External variable for ClientAliveCountMax in definition 20240" datatype="int" id="oval:org.open-scap.f14:var:20240" version="1"/>
>        <external_variable comment="External variable for definition 20246" datatype="string" id="oval:org.open-scap.f14:var:20246" version="1"/>
>        <external_variable comment="External variable for definition 20262" datatype="string" id="oval:org.open-scap.f14:var:20262" version="1"/>
>        <external_variable comment="External variable for definition 20264" datatype="string" id="oval:org.open-scap.f14:var:20264" version="1"/>
>        <external_variable comment="External variable for definition 20267" datatype="string" id="oval:org.open-scap.f14:var:20267" version="1"/>
>        <external_variable comment="External variable for definition 20290" datatype="string" id="oval:org.open-scap.f14:var:20290" version="1"/>
>        <external_variable comment="External variable for definition 20291" datatype="string" id="oval:org.open-scap.f14:var:20291" version="1"/>
>        <external_variable comment="External variable for definition 20313" datatype="string" id="oval:org.open-scap.f14:var:20313" version="1"/>
>        <external_variable comment="External variable for definition 20314" datatype="string" id="oval:org.open-scap.f14:var:20314" version="1"/>
>        <external_variable comment="External variable for definition 20315" datatype="string" id="oval:org.open-scap.f14:var:20315" version="1"/>
>        <external_variable comment="External variable for definition 20324" datatype="string" id="oval:org.open-scap.f14:var:20324" version="1"/>
>        <external_variable comment="External variable for definition 20325" datatype="string" id="oval:org.open-scap.f14:var:20325" version="1"/>
>        <external_variable comment="External variable for definition 20326" datatype="string" id="oval:org.open-scap.f14:var:20326" version="1"/>
>        <external_variable comment="External variable for definition 20327" datatype="string" id="oval:org.open-scap.f14:var:20327" version="1"/>
>        <external_variable comment="External variable for definition 20328" datatype="string" id="oval:org.open-scap.f14:var:20328" version="1"/>
>        <external_variable comment="External variable for definition 20329" datatype="string" id="oval:org.open-scap.f14:var:20329" version="1"/>
>        <external_variable comment="External variable for definition 20330" datatype="string" id="oval:org.open-scap.f14:var:20330" version="1"/>
>        <external_variable comment="External variable for definition 20346" datatype="string" id="oval:org.open-scap.f14:var:20346" version="1"/>
>        <external_variable comment="External variable for definition 20347" datatype="string" id="oval:org.open-scap.f14:var:20347" version="1"/>
>        <external_variable comment="External variable for definition 20348" datatype="string" id="oval:org.open-scap.f14:var:20348" version="1"/>
>        <external_variable comment="External variable for definition 20349" datatype="string" id="oval:org.open-scap.f14:var:20349" version="1"/>
>        <external_variable comment="External variable for definition 20351" datatype="string" id="oval:org.open-scap.f14:var:20351" version="1"/>
>        <external_variable comment="External variable for definition 20352" datatype="string" id="oval:org.open-scap.f14:var:20352" version="1"/>
>        <external_variable comment="External variable for definition 20353" datatype="string" id="oval:org.open-scap.f14:var:20353" version="1"/>
>        <external_variable comment="External variable for definition 20354" datatype="string" id="oval:org.open-scap.f14:var:20354" version="1"/>
>        
>        
>        <constant_variable comment="Filenames of mandatory log files" datatype="string" id="oval:org.open-scap.f14:var:201490" version="1">
>          <value>cron</value>
>          <value>messages</value>
>          <value>secure</value>
>          <value>maillog</value>
>          
>        </constant_variable>
>        <constant_variable comment="List of files known to have the sgid bit set" datatype="string" id="oval:org.open-scap.f14:var:200484" version="1">
>          <value>lockdev</value>
>          <value>sendmail.sendmail</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the sgid bit set" datatype="string" id="oval:org.open-scap.f14:var:200485" version="1">
>          <value>write</value>
>          <value>locate</value>
>          <value>ssh-agent</value>
>          <value>wall</value>
>          <value>screen</value>
>          <value>lockfile</value>
>          <value>gnomine</value>
>          <value>jwhois</value>
>          <value>iagno</value>
>          <value>crontab</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the suid bit set" datatype="string" id="oval:org.open-scap.f14:var:2004902" version="1">
>          <value>cgexec</value>
>          <value>fusermount</value>
>          <value>mount</value>
>          <value>ping</value>
>          <value>ping6</value>
>          <value>su</value>
>          <value>umount</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the suid bit set" datatype="string" id="oval:org.open-scap.f14:var:2004905" version="1">
>          <value>mount.nfs</value>
>          <value>pam_timestamp_check</value>
>          <value>unix_chkpwd</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the suid bit set" datatype="string" id="oval:org.open-scap.f14:var:2004906" version="1">
>          <value>Xorg</value>
>          <value>at</value>
>          <value>chage</value>
>          <value>chfn</value>
>          <value>chsh</value>
>          <value>crontab</value>
>          <value>gpasswd</value>
>          <value>ksu</value>
>          <value>newgrp</value>
>          <value>passwd</value>
>          <value>pkexec</value>
>          <value>rcp</value>
>          <value>rlogin</value>
>          <value>rsh</value>
>          <value>staprun</value>
>          <value>sudo</value>
>          <value>sudoedit</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the suid bit set" datatype="string" id="oval:org.open-scap.f14:var:2004910" version="1">
>          <value>innbind</value>
>          <value>rnews</value>
>        </constant_variable>
>        <constant_variable comment="List of files known to have the suid bit set" datatype="string" id="oval:org.open-scap.f14:var:2004915" version="1">
>          <value>ccreds_chkpwd</value>
>          <value>mtr</value>
>          <value>seunshare</value>
>          <value>suexec</value>
>          <value>userhelper</value>
>          <value>usernetctl</value>
>          <value>userisdnctl</value>
>        </constant_variable>
>        <constant_variable comment="Regexp pattern for xinetd services" datatype="string" id="oval:org.open-scap.f14:var:2017" version="1">
>          <value>^[[:space:]]+disable[[:space:]]*=[[:space:]]*(yes|no)</value>
>        </constant_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:1" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:2" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:3" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:4" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:5" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:6" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:7" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:8" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:9" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20042"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:10" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:11" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:12" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:13" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:14" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:15" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:16" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:17" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:18" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20043"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:19" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:20" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:21" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:22" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:23" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:24" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:25" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:26" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:27" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20044"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:28" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:29" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:30" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:31" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:32" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:33" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:34" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:35" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:36" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20045"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="List of user ids" datatype="int" id="oval:org.open-scap.f14:var:20050" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:200501"/>
>        </local_variable>
>        <local_variable comment="List of group ids" datatype="int" id="oval:org.open-scap.f14:var:20051" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:200511"/>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200820" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200821" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200822" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200823" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200824" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200825" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200826" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200827" version="1">
>          <substring substring_length="1" substring_start="10">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200828" version="1">
>          <substring substring_length="1" substring_start="11">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:200829" version="1">
>          <substring substring_length="1" substring_start="12">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20082"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:37" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:38" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:39" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:40" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:41" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:42" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:43" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:44" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:45" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20094"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201510" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201511" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201512" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201513" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201514" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201515" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201516" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201517" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:201518" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20151"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:46" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:47" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:48" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:49" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:50" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:51" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:52" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:53" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:54" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:55" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:56" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:57" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:58" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:59" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:60" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:61" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:62" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:63" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20210"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:64" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:65" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:66" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:67" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:68" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:69" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:70" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:71" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:72" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:73" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:74" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:75" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:76" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:77" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:78" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:79" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:80" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:81" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20213"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:82" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:83" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:84" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:85" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:86" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:87" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:88" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:89" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:90" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:91" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:92" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:93" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:94" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:95" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:96" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:97" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:98" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:99" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:100" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:101" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:102" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:103" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:104" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:105" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:106" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:107" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:108" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20224"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:109" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:110" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:111" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:112" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:113" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:114" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:115" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:116" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:117" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20315"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:118" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:119" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:120" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:121" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:122" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:123" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:124" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:125" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:126" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20326"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:127" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:128" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:129" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:130" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:131" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:132" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:133" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:134" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:135" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20327"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:136" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:137" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:138" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:139" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:140" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:141" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:142" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:143" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:144" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20328"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:145" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:146" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:147" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:148" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:149" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:150" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:151" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:152" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:153" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20330"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:160" version="1">
>          <substring substring_length="1" substring_start="1">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:161" version="1">
>          <substring substring_length="1" substring_start="2">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:162" version="1">
>          <substring substring_length="1" substring_start="3">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:163" version="1">
>          <substring substring_length="1" substring_start="4">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:164" version="1">
>          <substring substring_length="1" substring_start="5">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:165" version="1">
>          <substring substring_length="1" substring_start="6">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:166" version="1">
>          <substring substring_length="1" substring_start="7">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:167" version="1">
>          <substring substring_length="1" substring_start="8">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Bit for a permission type" datatype="boolean" id="oval:org.open-scap.f14:var:168" version="1">
>          <substring substring_length="1" substring_start="9">
>            <variable_component var_ref="oval:org.open-scap.f14:var:20231"/>
>          </substring>
>        </local_variable>
>        <local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:org.open-scap.f14:var:200855" version="1">
>          <split delimiter=":">
>            <object_component item_field="value" object_ref="oval:org.open-scap.f14:obj:20085"/>
>          </split>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:202081" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20208"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202082" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:202081"/>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202091" version="1">
>          <object_component item_field="user_id" object_ref="oval:org.open-scap.f14:obj:202091"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:202111" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20211"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202112" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:202111"/>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202121" version="1">
>          <object_component item_field="user_id" object_ref="oval:org.open-scap.f14:obj:202121"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:202141" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20214"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202142" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:202141"/>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202191" version="1">
>          <object_component item_field="user_id" object_ref="oval:org.open-scap.f14:obj:202191"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:202291" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20229"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202292" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:202291"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:202301" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20230"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:202302" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:202301"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:200811" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20081"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:200812" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:200811"/>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:201491" version="1">
>          <object_component item_field="user_id" object_ref="oval:org.open-scap.f14:obj:2014911"/>
>        </local_variable>
>        <local_variable comment="Regular expression for /etc/group: Get the group ID of given group name" datatype="string" id="oval:org.open-scap.f14:var:201501" version="1">
>          <concat>
>            <literal_component>^</literal_component>
>            <variable_component var_ref="oval:org.open-scap.f14:var:20150"/>
>            <literal_component>:[^:]*:([[:digit:]]+)</literal_component>
>          </concat>
>        </local_variable>
>        <local_variable comment="Object to Variable" datatype="int" id="oval:org.open-scap.f14:var:201502" version="1">
>          <object_component item_field="subexpression" object_ref="oval:org.open-scap.f14:obj:201501"/>
>        </local_variable>
>      </variables>
>    </oval_definitions>
>  </ds:component>
></ds:data-stream-collection>

Actions: View

Attachments on bug 56820: 20048