ComplianceAsCode · shawndwells · Jan 21, 2016 · Jan 19, 2016
diff --git a/RHEL/7/input/auxiliary/stig_overlay.xml b/RHEL/7/input/auxiliary/stig_overlay.xml
@@ -372,14 +372,6 @@
 		<VMSinfo VKey="38515" SVKey="50316" VRelease="1" />
 		<title>The Stream Control Transmission Protocol (SCTP) must be disabled unless required.</title>
 	</overlay>
-	<overlay owner="disastig" ruleid="kernel_module_rds_disabled" ownerid="RHEL-06-000126" disa="382" severity="low">
-		<VMSinfo VKey="38516" SVKey="50317" VRelease="1" />
-		<title>The Reliable Datagram Sockets (RDS) protocol must be disabled unless required.</title>
-	</overlay>
-	<overlay owner="disastig" ruleid="kernel_module_tipc_disabled" ownerid="RHEL-06-000127" disa="382" severity="medium">
-		<VMSinfo VKey="38517" SVKey="50318" VRelease="1" />
-		<title>The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required.</title>
-	</overlay>
 	<overlay owner="disastig" ruleid="rsyslog_files_ownership" ownerid="RHEL-06-000133" disa="1314" severity="medium">
 		<VMSinfo VKey="38518" SVKey="50319" VRelease="1" />
 		<title>All rsyslog-generated log files must be owned by root.</title>

diff --git a/RHEL/7/input/oval/kernel_module_cramfs_disabled.xml b/RHEL/7/input/oval/kernel_module_cramfs_disabled.xml
@@ -0,0 +1,86 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_kernel_modules_disabled.py.  DO NOT EDIT.  -->
+  <definition class="compliance"
+  id="kernel_module_cramfs_disabled" version="1">
+    <metadata>
+      <title>Disable cramfs Kernel Module</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The kernel module cramfs should be disabled.</description>
+      <reference source="galford" ref_id="20150819" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="test_kernmod_cramfs_disabled" comment="kernel module cramfs disabled in /etc/modprobe.d" />
+      <criterion test_ref="test_kernmod_cramfs_modprobeconf" comment="kernel module cramfs disabled in /etc/modprobe.conf" />
+      <criterion test_ref="test_kernmod_cramfs_etcmodules-load" comment="kernel module cramfs disabled in /etc/modules-load.d" />
+      <criterion test_ref="test_kernmod_cramfs_runmodules-load" comment="kernel module cramfs disabled in /run/modules-load.d" />
+      <criterion test_ref="test_kernmod_cramfs_libmodules-load" comment="kernel module cramfs disabled in /usr/lib/modules-load.d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_kernmod_cramfs_disabled" version="1" check="all"
+  comment="kernel module cramfs disabled">
+    <ind:object object_ref="obj_kernmod_cramfs_disabled" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_cramfs_modprobeconf" version="1" check="all"
+  comment="kernel module cramfs disabled in /etc/modprobe.conf">
+    <ind:object object_ref="obj_kernmod_cramfs_modprobeconf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_cramfs_etcmodules-load" version="1" check="all"
+  comment="kernel module cramfs disabled in /etc/modules-load.d">
+    <ind:object object_ref="obj_kernmod_cramfs_etcmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_cramfs_runmodules-load" version="1" check="all"
+  comment="kernel module cramfs disabled in /run/modules-load.d">
+    <ind:object object_ref="obj_kernmod_cramfs_runmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_cramfs_libmodules-load" version="1" check="all"
+  comment="kernel module cramfs disabled in /usr/lib/modules-load.d">
+    <ind:object object_ref="obj_kernmod_cramfs_libmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_kernmod_cramfs_disabled"
+  version="1" comment="kernel module cramfs disabled">
+    <ind:path>/etc/modprobe.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_cramfs_modprobeconf"
+  version="1" comment="Check deprecated /etc/modprobe.conf for disablement of cramfs">
+    <ind:filepath>/etc/modprobe.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_cramfs_etcmodules-load"
+  version="1" comment="kernel module cramfs disabled in /etc/modules-load.d">
+    <ind:path>/etc/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_cramfs_runmodules-load"
+  version="1" comment="kernel module cramfs disabled in /run/modules-load.d">
+    <ind:path>/run/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_cramfs_libmodules-load"
+  version="1" comment="kernel module cramfs disabled in /usr/lib/modules-load.d">
+    <ind:path>/usr/lib/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/7/input/oval/kernel_module_freevxfs_disabled.xml b/RHEL/7/input/oval/kernel_module_freevxfs_disabled.xml
@@ -0,0 +1,86 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_kernel_modules_disabled.py.  DO NOT EDIT.  -->
+  <definition class="compliance"
+  id="kernel_module_freevxfs_disabled" version="1">
+    <metadata>
+      <title>Disable freevxfs Kernel Module</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The kernel module freevxfs should be disabled.</description>
+      <reference source="galford" ref_id="20150819" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="test_kernmod_freevxfs_disabled" comment="kernel module freevxfs disabled in /etc/modprobe.d" />
+      <criterion test_ref="test_kernmod_freevxfs_modprobeconf" comment="kernel module freevxfs disabled in /etc/modprobe.conf" />
+      <criterion test_ref="test_kernmod_freevxfs_etcmodules-load" comment="kernel module freevxfs disabled in /etc/modules-load.d" />
+      <criterion test_ref="test_kernmod_freevxfs_runmodules-load" comment="kernel module freevxfs disabled in /run/modules-load.d" />
+      <criterion test_ref="test_kernmod_freevxfs_libmodules-load" comment="kernel module freevxfs disabled in /usr/lib/modules-load.d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_kernmod_freevxfs_disabled" version="1" check="all"
+  comment="kernel module freevxfs disabled">
+    <ind:object object_ref="obj_kernmod_freevxfs_disabled" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_freevxfs_modprobeconf" version="1" check="all"
+  comment="kernel module freevxfs disabled in /etc/modprobe.conf">
+    <ind:object object_ref="obj_kernmod_freevxfs_modprobeconf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_freevxfs_etcmodules-load" version="1" check="all"
+  comment="kernel module freevxfs disabled in /etc/modules-load.d">
+    <ind:object object_ref="obj_kernmod_freevxfs_etcmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_freevxfs_runmodules-load" version="1" check="all"
+  comment="kernel module freevxfs disabled in /run/modules-load.d">
+    <ind:object object_ref="obj_kernmod_freevxfs_runmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_freevxfs_libmodules-load" version="1" check="all"
+  comment="kernel module freevxfs disabled in /usr/lib/modules-load.d">
+    <ind:object object_ref="obj_kernmod_freevxfs_libmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_kernmod_freevxfs_disabled"
+  version="1" comment="kernel module freevxfs disabled">
+    <ind:path>/etc/modprobe.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_freevxfs_modprobeconf"
+  version="1" comment="Check deprecated /etc/modprobe.conf for disablement of freevxfs">
+    <ind:filepath>/etc/modprobe.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_freevxfs_etcmodules-load"
+  version="1" comment="kernel module freevxfs disabled in /etc/modules-load.d">
+    <ind:path>/etc/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_freevxfs_runmodules-load"
+  version="1" comment="kernel module freevxfs disabled in /run/modules-load.d">
+    <ind:path>/run/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_freevxfs_libmodules-load"
+  version="1" comment="kernel module freevxfs disabled in /usr/lib/modules-load.d">
+    <ind:path>/usr/lib/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/7/input/oval/kernel_module_hfs_disabled.xml b/RHEL/7/input/oval/kernel_module_hfs_disabled.xml
@@ -0,0 +1,86 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_kernel_modules_disabled.py.  DO NOT EDIT.  -->
+  <definition class="compliance"
+  id="kernel_module_hfs_disabled" version="1">
+    <metadata>
+      <title>Disable hfs Kernel Module</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The kernel module hfs should be disabled.</description>
+      <reference source="galford" ref_id="20150819" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="test_kernmod_hfs_disabled" comment="kernel module hfs disabled in /etc/modprobe.d" />
+      <criterion test_ref="test_kernmod_hfs_modprobeconf" comment="kernel module hfs disabled in /etc/modprobe.conf" />
+      <criterion test_ref="test_kernmod_hfs_etcmodules-load" comment="kernel module hfs disabled in /etc/modules-load.d" />
+      <criterion test_ref="test_kernmod_hfs_runmodules-load" comment="kernel module hfs disabled in /run/modules-load.d" />
+      <criterion test_ref="test_kernmod_hfs_libmodules-load" comment="kernel module hfs disabled in /usr/lib/modules-load.d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfs_disabled" version="1" check="all"
+  comment="kernel module hfs disabled">
+    <ind:object object_ref="obj_kernmod_hfs_disabled" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfs_modprobeconf" version="1" check="all"
+  comment="kernel module hfs disabled in /etc/modprobe.conf">
+    <ind:object object_ref="obj_kernmod_hfs_modprobeconf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfs_etcmodules-load" version="1" check="all"
+  comment="kernel module hfs disabled in /etc/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfs_etcmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfs_runmodules-load" version="1" check="all"
+  comment="kernel module hfs disabled in /run/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfs_runmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfs_libmodules-load" version="1" check="all"
+  comment="kernel module hfs disabled in /usr/lib/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfs_libmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfs_disabled"
+  version="1" comment="kernel module hfs disabled">
+    <ind:path>/etc/modprobe.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfs_modprobeconf"
+  version="1" comment="Check deprecated /etc/modprobe.conf for disablement of hfs">
+    <ind:filepath>/etc/modprobe.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfs_etcmodules-load"
+  version="1" comment="kernel module hfs disabled in /etc/modules-load.d">
+    <ind:path>/etc/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfs_runmodules-load"
+  version="1" comment="kernel module hfs disabled in /run/modules-load.d">
+    <ind:path>/run/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfs_libmodules-load"
+  version="1" comment="kernel module hfs disabled in /usr/lib/modules-load.d">
+    <ind:path>/usr/lib/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/RHEL/7/input/oval/kernel_module_hfsplus_disabled.xml b/RHEL/7/input/oval/kernel_module_hfsplus_disabled.xml
@@ -0,0 +1,86 @@
+<def-group>
+ <!-- THIS FILE IS GENERATED by create_kernel_modules_disabled.py.  DO NOT EDIT.  -->
+  <definition class="compliance"
+  id="kernel_module_hfsplus_disabled" version="1">
+    <metadata>
+      <title>Disable hfsplus Kernel Module</title>
+      <affected family="unix">
+        <platform>Red Hat Enterprise Linux 7</platform>
+      </affected>
+      <description>The kernel module hfsplus should be disabled.</description>
+      <reference source="galford" ref_id="20150819" ref_url="test_attestation"/>
+    </metadata>
+    <criteria operator="OR">
+      <criterion test_ref="test_kernmod_hfsplus_disabled" comment="kernel module hfsplus disabled in /etc/modprobe.d" />
+      <criterion test_ref="test_kernmod_hfsplus_modprobeconf" comment="kernel module hfsplus disabled in /etc/modprobe.conf" />
+      <criterion test_ref="test_kernmod_hfsplus_etcmodules-load" comment="kernel module hfsplus disabled in /etc/modules-load.d" />
+      <criterion test_ref="test_kernmod_hfsplus_runmodules-load" comment="kernel module hfsplus disabled in /run/modules-load.d" />
+      <criterion test_ref="test_kernmod_hfsplus_libmodules-load" comment="kernel module hfsplus disabled in /usr/lib/modules-load.d" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfsplus_disabled" version="1" check="all"
+  comment="kernel module hfsplus disabled">
+    <ind:object object_ref="obj_kernmod_hfsplus_disabled" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfsplus_modprobeconf" version="1" check="all"
+  comment="kernel module hfsplus disabled in /etc/modprobe.conf">
+    <ind:object object_ref="obj_kernmod_hfsplus_modprobeconf" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfsplus_etcmodules-load" version="1" check="all"
+  comment="kernel module hfsplus disabled in /etc/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfsplus_etcmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfsplus_runmodules-load" version="1" check="all"
+  comment="kernel module hfsplus disabled in /run/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfsplus_runmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_test id="test_kernmod_hfsplus_libmodules-load" version="1" check="all"
+  comment="kernel module hfsplus disabled in /usr/lib/modules-load.d">
+    <ind:object object_ref="obj_kernmod_hfsplus_libmodules-load" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfsplus_disabled"
+  version="1" comment="kernel module hfsplus disabled">
+    <ind:path>/etc/modprobe.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfsplus_modprobeconf"
+  version="1" comment="Check deprecated /etc/modprobe.conf for disablement of hfsplus">
+    <ind:filepath>/etc/modprobe.conf</ind:filepath>
+    <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfsplus_etcmodules-load"
+  version="1" comment="kernel module hfsplus disabled in /etc/modules-load.d">
+    <ind:path>/etc/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfsplus_runmodules-load"
+  version="1" comment="kernel module hfsplus disabled in /run/modules-load.d">
+    <ind:path>/run/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+  <ind:textfilecontent54_object id="obj_kernmod_hfsplus_libmodules-load"
+  version="1" comment="kernel module hfsplus disabled in /usr/lib/modules-load.d">
+    <ind:path>/usr/lib/modules-load.d</ind:path>
+    <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
+    <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>