This repository has been archived by the owner on Dec 15, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
U_SUSE_Linux_Enterprise_Server_v11_V1R1-oval.xml
433 lines (432 loc) · 32.9 KB
/
U_SUSE_Linux_Enterprise_Server_v11_V1R1-oval.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
<generator>
<oval:product_name>Enhanced SCAP Content Editor (eSCAPe)</oval:product_name>
<oval:product_version>1.2.2</oval:product_version>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>2018-02-28T02:48:30</oval:timestamp>
</generator>
<!--generated.oval.base.identifier=gov.disa.suse-->
<definitions>
<definition id="oval:gov.disa.suse:def:776" version="1" class="compliance">
<metadata>
<title>The root accounts executable search path must be the vendor default and must contain only absolute paths.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>The executable search path (typically the PATH environment variable) contains a list of directories for the shell to search to find executables. If this path includes the current working directory or other relative paths, executables in these directories may be executed instead of system commands. This variable is formatted as a colon-separated list of directories. If there is an empty entry, such as a leading or trailing colon or two consecutive colons, this is interpreted as the current working directory. Entries starting with a slash (/) are absolute paths.</description>
</metadata>
<criteria operator="AND">
<criterion comment="environment variable PATH starts with : or ." test_ref="oval:gov.disa.suse:tst:7760001" />
<criterion comment="environment variable PATH contains : twice in a row" test_ref="oval:gov.disa.suse:tst:7760002" />
<criterion comment="environment variable PATH contains . twice in a row" test_ref="oval:gov.disa.suse:tst:7760003" />
<criterion comment="environment variable PATH ends with : or ." test_ref="oval:gov.disa.suse:tst:7760004" />
<criterion comment="environment variable PATH doesn't begin with a /" test_ref="oval:gov.disa.suse:tst:7760005" />
<criterion comment="environment variable PATH doesn't contain relative paths" test_ref="oval:gov.disa.suse:tst:7760006" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:775" version="1" class="compliance">
<metadata>
<title>The root accounts home directory (other than /) must have mode 0700.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Permissions greater than 0700 could allow unauthorized users access to the root home directory.</description>
</metadata>
<criteria>
<criterion comment="Root home permissions should be 700" test_ref="oval:gov.disa.suse:tst:775" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:774" version="1" class="compliance">
<metadata>
<title>The root users home directory must not be the root directory (/).</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Changing the root home directory to something other than / and assigning it a 0700 protection makes it more difficult for intruders to manipulate the system by reading the files root places in its default directory. It also gives root the same discretionary access control for root's home directory as for the other user home directories.</description>
</metadata>
<criteria>
<criterion comment="Root home should not be /" test_ref="oval:gov.disa.suse:tst:774" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:773" version="1" class="compliance">
<metadata>
<title>The root account must be the only account having a UID of 0.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>If an account has a UID of 0, it has root authority. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account.</description>
</metadata>
<criteria>
<criterion comment="Only root should have a UID of 0" test_ref="oval:gov.disa.suse:tst:773" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:770" version="1" class="compliance">
<metadata>
<title>The system must not have accounts configured with blank or null passwords.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>If an account is configured for password authentication but does not have an assigned password, it may be possible to log into the account without authentication. If the root user is configured without a password, the entire system may be compromised. For user accounts not using password authentication, the account must be configured with a password lock value instead of a blank or null value.</description>
</metadata>
<criteria comment="nullok should not exist anywhere">
<criterion comment="/etc/pam.d/common-auth-pc should not contain a nullok" test_ref="oval:gov.disa.suse:tst:7700001" />
<criterion comment="/etc/pam.d/common-account-pc should not contain a nullok" test_ref="oval:gov.disa.suse:tst:7700002" />
<criterion comment="/etc/pam.d/common-password-pc should not contain a nullok" test_ref="oval:gov.disa.suse:tst:7700003" />
<criterion comment="/etc/pam.d/common-session-pc should not contain a nullok" test_ref="oval:gov.disa.suse:tst:7700004" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:768" version="1" class="compliance">
<metadata>
<title>The delay between login prompts following a failed login attempt must be at least 4 seconds.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Enforcing a delay between successive failed login attempts increases protection against automated password guessing attacks.</description>
</metadata>
<criteria>
<criterion comment="/etc/login.defs should specify 4 or more seconds between attempts" test_ref="oval:gov.disa.suse:tst:7680001" />
<criterion comment="/etc/pam.d/common-auth-pc should enable login delays" test_ref="oval:gov.disa.suse:tst:7680002" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:766" version="1" class="compliance">
<metadata>
<title>The system must disable accounts after three consecutive unsuccessful login attempts.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks.</description>
</metadata>
<criteria>
<criterion comment="/etc/pam.d/login must disable accounts after 3 unsuccessful login attempts" test_ref="oval:gov.disa.suse:tst:7660001" />
<criterion comment="/etc/pam.d/sshd must disable accounts after 3 unsuccessful login attempts" test_ref="oval:gov.disa.suse:tst:7660002" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:765" version="1" class="compliance">
<metadata>
<title>Successful and unsuccessful logins and logouts must be logged</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Monitoring and recording successful and unsuccessful logins assists in tracking unauthorized access to the system. Without this logging, the ability to track unauthorized activity to specific user accounts may be diminished.</description>
</metadata>
<criteria operator="AND" negate="false" comment="">
<criterion comment="/var/log/wtmp must exist" test_ref="oval:gov.disa.suse:tst:7650001" negate="false" />
<criterion comment="/var/log/btmp must exist" test_ref="oval:gov.disa.suse:tst:7650002" negate="false" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:762" version="1" class="compliance">
<metadata>
<title>All accounts on the system must have unique User Identification Numbers (UIDs).</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>Accounts sharing a UID have full access to each others' files. This has the same effect as sharing a login. There is no way to assure identification, authentication, and accountability because the system sees them as the same user. If the duplicate UID is 0, this gives potential intruders another privileged account to attack.</description>
</metadata>
<criteria>
<criterion comment="/etc/passwd should not contain duplicate account UIDs" test_ref="oval:gov.disa.suse:tst:762" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:761" version="1" class="compliance">
<metadata>
<title>All accounts on the system must have unique user or account names</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>A unique user name is the first part of the identification</description>
</metadata>
<criteria>
<criterion comment="/etc/passwd should not contain duplicate account names" test_ref="oval:gov.disa.suse:tst:761" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:756" version="1" class="compliance">
<metadata>
<title>The system must require authentication upon booting into single-user and maintenance modes.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.</description>
</metadata>
<criteria>
<criterion comment="/etc/inittab requires root authentication in single-user mode" test_ref="oval:gov.disa.suse:tst:756" />
</criteria>
</definition>
<definition id="oval:gov.disa.suse:def:22347" version="1" class="compliance">
<metadata>
<title>The /etc/passwd file must not contain password hashes.</title>
<affected family="unix">
<platform>SUSE Linux Enterprise Server 11</platform>
</affected>
<description>If password hashes are readable by non-administrators, the passwords are subject to attack through lookup tables or cryptographic weaknesses in the hashes.</description>
</metadata>
<criteria>
<criterion comment="/etc/passwd does not contain hashes" test_ref="oval:gov.disa.suse:tst:22347" />
</criteria>
</definition>
</definitions>
<tests>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760001" version="1" check="none satisfy" comment="environment variable PATH starts with : or .">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760001" />
</environmentvariable58_test>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760002" version="1" check="none satisfy" comment="environment variable PATH doesn't contain : twice in a row">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760002" />
</environmentvariable58_test>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760003" version="1" check="none satisfy" comment="environment variable PATH doesn't contain . twice in a row">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760003" />
</environmentvariable58_test>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760004" version="1" check="none satisfy" comment="environment variable PATH ends with : or .">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760004" />
</environmentvariable58_test>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760005" version="1" check="none satisfy" comment="environment variable PATH starts with an absolute path /">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760005" />
</environmentvariable58_test>
<environmentvariable58_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7760006" version="1" check="none satisfy" comment="environment variable PATH contains relative paths">
<object object_ref="oval:gov.disa.suse:obj:776" />
<state state_ref="oval:gov.disa.suse:ste:7760006" />
</environmentvariable58_test>
<file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:tst:775" version="1" check="only one" comment="root home permissions must match 0700" check_existence="all_exist">
<object object_ref="oval:gov.disa.suse:obj:775" />
<state state_ref="oval:gov.disa.suse:ste:775" />
</file_test>
<password_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:tst:774" version="1" check="all" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:773" />
<state state_ref="oval:gov.disa.suse:ste:774" />
</password_test>
<password_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:tst:773" version="1" check="all" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:773" />
<state state_ref="oval:gov.disa.suse:ste:773" />
</password_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7700001" version="1" check="all" comment="no nullok" check_existence="none_exist">
<object object_ref="oval:gov.disa.suse:obj:7700001" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7700002" version="1" check="all" comment="no nullok" check_existence="none_exist">
<object object_ref="oval:gov.disa.suse:obj:7700002" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7700003" version="1" check="all" comment="no nullok" check_existence="none_exist">
<object object_ref="oval:gov.disa.suse:obj:7700003" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7700004" version="1" check="all" comment="no nullok" check_existence="none_exist">
<object object_ref="oval:gov.disa.suse:obj:7700004" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7680001" version="1" check="all" comment="delay login attempts by at least 4 seconds" check_existence="all_exist">
<object object_ref="oval:gov.disa.suse:obj:7680001" />
<state state_ref="oval:gov.disa.suse:ste:7680001" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7680002" version="1" check="all" comment="delay login attempts by at least 4 seconds" check_existence="all_exist">
<object object_ref="oval:gov.disa.suse:obj:7680002" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7660001" version="1" check="all" comment="disable accounts after 3 unsuccessful login attempts" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:7660001" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:7660002" version="1" check="all" comment="disable accounts after 3 unsuccessful login attempts" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:7660002" />
</textfilecontent54_test>
<file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:tst:7650001" version="1" check="only one" comment="/var/log/wtmp must exist" check_existence="only_one_exists">
<object object_ref="oval:gov.disa.suse:obj:7650001" />
<state state_ref="oval:gov.disa.suse:ste:7650001" />
</file_test>
<file_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:tst:7650002" version="1" check="only one" comment="/var/log/btmp must exist" check_existence="only_one_exists">
<object object_ref="oval:gov.disa.suse:obj:7650002" />
<state state_ref="oval:gov.disa.suse:ste:7650002" />
</file_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:762" version="1" check="all" comment="Check /etc/passwd for unique UIDs" check_existence="all_exist">
<object object_ref="oval:gov.disa.suse:obj:7620001" />
<state state_ref="oval:gov.disa.suse:ste:762" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:761" version="1" check="all" comment="Check /etc/passwd for unique users" check_existence="all_exist">
<object object_ref="oval:gov.disa.suse:obj:7610001" />
<state state_ref="oval:gov.disa.suse:ste:761" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:756" version="1" check="all" comment="sulogin should run in single-user mode" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:756" />
<state state_ref="oval:gov.disa.suse:ste:756" />
</textfilecontent54_test>
<textfilecontent54_test xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:tst:22347" version="1" check="all" comment="/etc/passwd does not contain hashes" check_existence="at_least_one_exists">
<object object_ref="oval:gov.disa.suse:obj:22347" />
<state state_ref="oval:gov.disa.suse:ste:22347" />
</textfilecontent54_test>
</tests>
<objects>
<environmentvariable58_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:776" version="1">
<pid xsi:nil="true" />
<name>PATH</name>
</environmentvariable58_object>
<file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:obj:775" version="1" comment="root home permissions">
<!-- <path datatype="string">/root</path> -->
<path datatype="string" operation="equals" var_ref="oval:gov.disa.suse:var:775" var_check="all" />
<filename xsi:nil="true" />
</file_object>
<password_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:obj:773" version="1">
<username datatype="string" operation="equals">root</username>
</password_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" id="oval:gov.disa.suse:obj:7700001" version="1" comment="nullok should not be present">
<filepath datatype="string">/etc/pam.d/common-auth-pc</filepath>
<pattern datatype="string" operation="pattern match">^[^#]*nullok</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" id="oval:gov.disa.suse:obj:7700002" version="1" comment="nullok should not be present">
<filepath datatype="string">/etc/pam.d/common-account-pc</filepath>
<pattern datatype="string" operation="pattern match">^[^#]*nullok</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" id="oval:gov.disa.suse:obj:7700003" version="1" comment="nullok should not be present">
<filepath datatype="string">/etc/pam.d/common-password-pc</filepath>
<pattern datatype="string" operation="pattern match">^[^#]*nullok</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" check="all" check_existence="none_exist" id="oval:gov.disa.suse:obj:7700004" version="1" comment="nullok should not be present">
<filepath datatype="string">/etc/pam.d/common-session-pc</filepath>
<pattern datatype="string" operation="pattern match">^[^#]*nullok</pattern>
<instance datatype="int">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7680001" version="1" comment="delay after failure to login should be 4 or more seconds">
<filepath datatype="string">/etc/login.defs</filepath>
<pattern datatype="string" operation="pattern match">^\s*FAIL_DELAY\s+([0-9]+)</pattern>
<instance datatype="int" operation="equals">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7680002" version="1" comment="delay after failure to login should be 4 or more seconds">
<filepath datatype="string">/etc/pam.d/common-auth-pc</filepath>
<pattern datatype="string" operation="pattern match">^\s*auth\s+optional\s+pam_faildelay.so</pattern>
<instance datatype="int" operation="equals">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7660001" version="1" comment="disable after 3 unsuccessful login attempts">
<filepath datatype="string">/etc/pam.d/login</filepath>
<pattern datatype="string" operation="pattern match">^auth\s+required\s+pam_tally.so\s+deny=3\s+onerr=fail</pattern>
<instance datatype="int" operation="equals">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7660002" version="1" comment="disable after 3 unsuccessful login attempts">
<filepath datatype="string">/etc/pam.d/sshd</filepath>
<pattern datatype="string" operation="pattern match">^auth\s+required\s+pam_tally.so\s+deny=3\s+onerr=fail</pattern>
<instance datatype="int" operation="equals">1</instance>
</textfilecontent54_object>
<file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:obj:7650002" version="1" comment="/var/log/btmp must exist">
<filepath datatype="string" operation="equals">/var/log/btmp</filepath>
</file_object>
<file_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:obj:7650001" version="1" comment="/var/log/wtmp must exist">
<filepath datatype="string" operation="equals">/var/log/wtmp</filepath>
</file_object>
<variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7620001" version="1" comment="Variable count of ALL user UIDs from /etc/passwd">
<var_ref>oval:gov.disa.suse:var:762</var_ref>
</variable_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:762" version="1" comment="Check /etc/passwd for duplicate UIDs">
<filepath datatype="string" operation="equals">/etc/passwd</filepath>
<pattern datatype="string" operation="pattern match">^[^:]*:[^:]*:([^:]+):.*$</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>
</textfilecontent54_object>
<variable_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:7610001" version="1" comment="Variable count of ALL users from /etc/passwd">
<var_ref>oval:gov.disa.suse:var:761</var_ref>
</variable_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:761" version="1" comment="Check /etc/passwd for duplicate users">
<filepath datatype="string" operation="equals">/etc/passwd</filepath>
<pattern datatype="string" operation="pattern match">^([^:]+):.*$</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:756" version="1" comment="Recovery mode must boot into Single-user mode">
<filepath datatype="string">/etc/inittab</filepath>
<pattern datatype="string" operation="pattern match">^~~:S:[^#\n]+:([^#\n]+)</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>
</textfilecontent54_object>
<textfilecontent54_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:obj:22347" version="1" comment="Check /etc/passwd for hashes">
<filepath datatype="string">/etc/passwd</filepath>
<pattern datatype="string" operation="pattern match">^[^:]*:([^:]*):</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>
</textfilecontent54_object>
</objects>
<states>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760001" version="1" comment="starts with colon or period">
<value operation="pattern match">^[:\.]</value>
</environmentvariable58_state>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760002" version="1" comment="colon twice in a row">
<value operation="pattern match">::</value>
</environmentvariable58_state>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760003" version="1" comment="period twice in a row">
<value operation="pattern match">\.\.</value>
</environmentvariable58_state>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760004" version="1" comment="ends with colon or period">
<value operation="pattern match">[:\.]$</value>
</environmentvariable58_state>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760005" version="1" comment="begins with a slash">
<value operation="pattern match">^[^/]</value>
</environmentvariable58_state>
<environmentvariable58_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7760006" version="1" comment="elements begin with a slash">
<value operation="pattern match">[^\\]:[^/]</value>
</environmentvariable58_state>
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:ste:775" version="1" comment="root home permissions are 07000" operator="AND">
<suid datatype="boolean">false</suid>
<sgid datatype="boolean">false</sgid>
<sticky datatype="boolean">false</sticky>
<uread datatype="boolean">true</uread>
<uwrite datatype="boolean">true</uwrite>
<uexec datatype="boolean">true</uexec>
<gread datatype="boolean">false</gread>
<gwrite datatype="boolean">false</gwrite>
<gexec datatype="boolean">false</gexec>
<oread datatype="boolean">false</oread>
<owrite datatype="boolean">false</owrite>
<oexec datatype="boolean">false</oexec>
</file_state>
<password_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:ste:774" version="1">
<username datatype="string" operation="equals" entity_check="only one">root</username>
<home_dir datatype="string" operation="not equal" entity_check="only one">/</home_dir>
</password_state>
<password_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:ste:773" version="1">
<username datatype="string" operation="equals" entity_check="all">root</username>
<user_id datatype="int" operation="equals" entity_check="all">0</user_id>
</password_state>
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:7680001" version="1" comment="FAIL_DELAY should be 4 or more seconds">
<subexpression datatype="int" operation="greater than or equal">4</subexpression>
</textfilecontent54_state>
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:ste:7650002" version="1" comment="/var/log/btmp exists">
<filepath datatype="string" operation="equals" entity_check="only one" var_check="all">/var/log/btmp</filepath>
</file_state>
<file_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" id="oval:gov.disa.suse:ste:7650001" version="1" comment="/var/log/wtmp exists">
<filepath datatype="string" operation="equals" entity_check="only one" var_check="all">/var/log/wtmp</filepath>
</file_state>
<variable_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:762" version="1" comment="State of UNIQUE UIDs in /etc/passwd">
<value var_ref="oval:gov.disa.suse:var:7620001" datatype="int" operation="equals" var_check="at least one" />
</variable_state>
<variable_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:761" version="1" comment="State of UNIQUE users in /etc/passwd">
<value var_ref="oval:gov.disa.suse:var:7610001" datatype="int" operation="equals" var_check="at least one" />
</variable_state>
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:756" version="1" comment="Single-user mode">
<subexpression datatype="string">/sbin/sulogin</subexpression>
</textfilecontent54_state>
<textfilecontent54_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" id="oval:gov.disa.suse:ste:22347" version="1" comment="Check /etc/passwd for hashes">
<subexpression datatype="string">x</subexpression>
</textfilecontent54_state>
</states>
<variables>
<local_variable id="oval:gov.disa.suse:var:775" version="1" comment="root home dir" datatype="string">
<object_component object_ref="oval:gov.disa.suse:obj:773" item_field="home_dir" />
</local_variable>
<local_variable id="oval:gov.disa.suse:var:762" version="1" comment="/etc/passwd UID count" datatype="int">
<count>
<object_component item_field="subexpression" object_ref="oval:gov.disa.suse:obj:762" />
</count>
</local_variable>
<local_variable id="oval:gov.disa.suse:var:7620001" version="1" comment="/etc/passwd unique UID count" datatype="int">
<count>
<unique>
<object_component item_field="subexpression" object_ref="oval:gov.disa.suse:obj:762" />
</unique>
</count>
</local_variable>
<local_variable id="oval:gov.disa.suse:var:761" version="1" comment="/etc/passwd username count" datatype="int">
<count>
<object_component item_field="subexpression" object_ref="oval:gov.disa.suse:obj:761" />
</count>
</local_variable>
<local_variable id="oval:gov.disa.suse:var:7610001" version="1" comment="/etc/passwd unique username count" datatype="int">
<count>
<unique>
<object_component item_field="subexpression" object_ref="oval:gov.disa.suse:obj:761" />
</unique>
</count>
</local_variable>
</variables>
</oval_definitions>