From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-649145-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id A2EA513827E
	for <garchives@archives.gentoo.org>; Wed, 11 Dec 2013 20:58:45 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 275BEE09DB;
	Wed, 11 Dec 2013 20:58:45 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 71A68E09A4
	for <gentoo-commits@lists.gentoo.org>; Wed, 11 Dec 2013 20:58:44 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 36E6033F152
	for <gentoo-commits@lists.gentoo.org>; Wed, 11 Dec 2013 20:58:43 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 9E469D004C
	for <gentoo-commits@lists.gentoo.org>; Wed, 11 Dec 2013 20:58:40 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1386795433.47048684305f47c5fbe32da2c9cdc6e7f687cfaa.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/SCAP/
X-VCS-Repository: proj/hardened-docs
X-VCS-Files: xml/SCAP/openssh-ds.xml
X-VCS-Directories: xml/SCAP/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 47048684305f47c5fbe32da2c9cdc6e7f687cfaa
X-VCS-Branch: master
Date: Wed, 11 Dec 2013 20:58:40 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 8fc9dae0-9e3a-4fc2-ac43-d0de25cc5417
X-Archives-Hash: 0946c437f13df478e6aacc059fa5a643

commit:     47048684305f47c5fbe32da2c9cdc6e7f687cfaa
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Dec 11 20:57:13 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 11 20:57:13 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-docs.git;a=commit;h=47048684

Adding datastream for OpenSSH

---
 xml/SCAP/openssh-ds.xml | 1610 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1610 insertions(+)

diff --git a/xml/SCAP/openssh-ds.xml b/xml/SCAP/openssh-ds.xml
new file mode 100644
index 0000000..84207bc
--- /dev/null
+++ b/xml/SCAP/openssh-ds.xml
@@ -0,0 +1,1610 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_openssh-xccdf.xml" schematron-version="1.0"><ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_openssh-xccdf.xml" scap-version="1.2" use-case="OTHER"><ds:dictionaries><ds:component-ref id="scap_org.open-scap_cref_gentoo-cpe.xml" xlink:href="#scap_org.open-scap_comp_gentoo-cpe.xml"><cat:catalog><cat:uri name="gentoo-oval.xml" uri="#scap_org.open-scap_cref_gentoo-oval.xml"/></cat:catalog></ds:component-ref></ds:dictionaries><ds:checklists><ds:component-ref id="scap_org.open-scap_cref_openssh-xccdf.xml" xlink:href="#scap_org.open-scap_comp_openssh-xccdf.xml"><cat:catalog><cat:uri name="openssh-oval.xml" uri="#scap_org.open-scap_cref_openssh-oval.xml"/></cat:catalog></ds:component-ref></ds:checklists><ds:checks><ds:component-ref id="scap_org.open-scap_cre
 f_openssh-oval.xml" xlink:href="#scap_org.open-scap_comp_openssh-oval.xml"/><ds:component-ref id="scap_org.open-scap_cref_gentoo-oval.xml" xlink:href="#scap_org.open-scap_comp_gentoo-oval.xml"/></ds:checks></ds:data-stream><ds:component id="scap_org.open-scap_comp_openssh-oval.xml" timestamp="2012-07-18T22:14:45"><oval_definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix">
+  <generator>
+    <oval:product_name>vim</oval:product_name>
+    <oval:schema_version>5.9</oval:schema_version>
+    <oval:timestamp>2011-10-31T12:00:00-04:00</oval:timestamp>
+  </generator>
+
+<definitions>
+<!-- @@GENOVAL START DEFINITIONS -->
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:1" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:2" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:3" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:5" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:6" version="1">
+  <metadata>
+    <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+    <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="file /etc/hosts.allow must have a line that matches ^sshd:"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:7" version="1">
+  <metadata>
+    <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+    <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:8" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:9" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:10" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:11" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:12" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:13" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:14" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:15" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:16" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:17" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:18" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+    <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:19" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress"/>
+  </criteria>
+</definition>
+<definition class="compliance" id="oval:org.gentoo.dev.swift:def:20" version="1">
+  <metadata>
+    <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+    <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+  </metadata>
+  <criteria>
+    <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no"/>
+  </criteria>
+</definition>
+<!-- @@GENOVAL END DEFINITIONS -->
+</definitions>
+
+<tests>
+<!-- @@GENOVAL START TESTS -->
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowGroup" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="at least one" comment="file /etc/hosts.allow must have a line that matches ^sshd:" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="at least one" comment="file /etc/hosts.deny must have a line that matches ^sshd: ALL" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:7"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:8"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:9"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:10"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:11"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:12"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:13"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:14"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:15"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:16"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="none satisfy" comment="file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:17"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^ListenAddress" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:18"/>
+</ind-def:textfilecontent54_test>
+<ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="at least one" comment="file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no" check_existence="at_least_one_exists">
+  <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:19"/>
+</ind-def:textfilecontent54_test>
+<!-- @@GENOVAL END TESTS -->
+</tests>
+
+<objects>
+<!-- @@GENOVAL START OBJECTS -->
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="Non-comment lines in /etc/ssh/sshd_config">
+  <ind-def:filepath>/etc/ssh/sshd_config</ind-def:filepath>
+  <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+  <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="Non-comment lines in /etc/hosts.allow">
+  <ind-def:filepath>/etc/hosts.allow</ind-def:filepath>
+  <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+  <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="Non-comment lines in /etc/hosts.deny">
+  <ind-def:filepath>/etc/hosts.deny</ind-def:filepath>
+  <ind-def:pattern operation="pattern match">^[[:space:]]*([^#[:space:]].*[^[:space:]]?)[[:space:]]*$</ind-def:pattern>
+  <ind-def:instance datatype="int" operation="greater than or equal">1</ind-def:instance>
+</ind-def:textfilecontent54_object>
+<!-- @@GENOVAL END OBJECTS -->
+</objects>
+
+<states>
+<!-- @@GENOVAL START STATES -->
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The match of ^PermitRootLogin no">
+  <ind-def:subexpression operation="pattern match">^PermitRootLogin no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The match of ^PasswordAuthentication no">
+  <ind-def:subexpression operation="pattern match">^PasswordAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The match of ^ChallengeResponseAuthentication no">
+  <ind-def:subexpression operation="pattern match">^ChallengeResponseAuthentication no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="The match of ^AllowGroup">
+  <ind-def:subexpression operation="pattern match">^AllowGroup</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="The match of ^sshd">
+  <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="The match of ^sshd">
+  <ind-def:subexpression operation="pattern match">^sshd</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:7" version="1" comment="The match of ^IgnoreRhosts.*no">
+  <ind-def:subexpression operation="pattern match">^IgnoreRhosts.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:8" version="1" comment="The match of ^RhostsRSAAuthentication.*yes">
+  <ind-def:subexpression operation="pattern match">^RhostsRSAAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:9" version="1" comment="The match of ^HostbasedAuthentication.*yes">
+  <ind-def:subexpression operation="pattern match">^HostbasedAuthentication.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:10" version="1" comment="The match of ^PermitEmptyPasswords.*yes">
+  <ind-def:subexpression operation="pattern match">^PermitEmptyPasswords.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:11" version="1" comment="The match of ^UsePAM.*no">
+  <ind-def:subexpression operation="pattern match">^UsePAM.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:12" version="1" comment="The match of ^Protocol.*1">
+  <ind-def:subexpression operation="pattern match">^Protocol.*1</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:13" version="1" comment="The match of ^UsePrivilegeSeparation.*no">
+  <ind-def:subexpression operation="pattern match">^UsePrivilegeSeparation.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:14" version="1" comment="The match of ^X11Forwarding.*yes">
+  <ind-def:subexpression operation="pattern match">^X11Forwarding.*yes</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:15" version="1" comment="The match of ^StrictMode.*no">
+  <ind-def:subexpression operation="pattern match">^StrictMode.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:16" version="1" comment="The match of ^ListenAddress.*0.0.0.0">
+  <ind-def:subexpression operation="pattern match">^ListenAddress.*0.0.0.0</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:17" version="1" comment="The match of ^ListenAddress *">
+  <ind-def:subexpression operation="pattern match">^ListenAddress[ ]*</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:18" version="1" comment="The match of ^ListenAddress">
+  <ind-def:subexpression operation="pattern match">^ListenAddress</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:19" version="1" comment="The match of ^AllowTcpForwarding.*no">
+  <ind-def:subexpression operation="pattern match">^AllowTcpForwarding.*no</ind-def:subexpression>
+</ind-def:textfilecontent54_state>
+<!-- @@GENOVAL END STATES -->
+</states>
+
+</oval_definitions></ds:component><ds:component id="scap_org.open-scap_comp_openssh-xccdf.xml" timestamp="2013-12-11T21:54:25"><Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:h="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.gentoo.dev.swift_benchmark_Gentoo-Security-Benchmark-OpenSSH-1" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" resolved="0">
+  <status date="2012-07-14">draft</status>
+  <title>Hardening OpenSSH</title>
+  <description>
+    The OpenSSH server offers remote Secure Shell services towards your users. This benchmark
+    focuses on the hardening of OpenSSH within a Gentoo Hardened environment.
+  </description>
+  <platform idref="cpe:/o:gentoo:linux"/>
+  <version>1</version>
+  <model system="urn:xccdf:scoring:default"/>
+  <model system="urn:xccdf:scoring:flat"/>
+  <Profile id="xccdf_org.gentoo.dev.swift_profile_default">
+    <title>OpenSSH server setup settings</title>
+    <description>
+      Profile matching all OpenSSH hardening rules
+    </description>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="true"/>
+    <select idref="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="true"/>
+  </Profile>
+  <Group id="xccdf_org.gentoo.dev.swift_group_intro">
+    <title>Introduction</title>
+    <description>
+      The OpenSSH service is one of the most used SSH providing services. 
+    </description>
+    <Group id="xccdf_org.gentoo.dev.swift_group_intro-using">
+      <title>Using this guide</title>
+      <description>
+        The guide you are currently reading is the guide generated from this SCAP
+        content (more specifically, the XCCDF document) using <h:b>openscap</h:b>,
+        a free software implementation for handling SCAP content. Within Gentoo,
+        the package <h:code>app-forensics/openscap</h:code> provides the tools, and
+        the following command is used to generate the HTML output:
+        <h:br/>
+        <h:pre>### Command to generate this guide ###
+# <h:b>oscap xccdf generate guide openssh-xccdf.xml &gt; guide-openssh-xccdf.html</h:b>
+        </h:pre>
+        <h:br/>
+        Secondly, together with this XCCDF XML, you will also find an OVAL XML file.
+        The two files combined allow you to automatically validate various settings as
+        documented in the benchmark. 
+        <h:br/>
+        <h:br/>
+        You can test the benchmark against your configuration.
+        <h:pre>### Testing the rules mentioned in the XCCDF document ###
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default openssh-xccdf.xml</h:b></h:pre>
+        <h:br/>
+        To generate a full report in HTML as well, you can use the next command:
+        <h:pre>### Testing the rules and generating an HTML report ###
+# <h:b>oscap xccdf eval --cpe gentoo-cpe.xml --profile xccdf_org.gentoo.dev.swift_profile_default --results results-openssh-xccdf.xml --report report-openssh-xccdf.html openssh-xccdf.xml</h:b></h:pre>
+        <h:br/>
+        Finally, this benchmark will suggest some settings which you do not want
+        to enable. That is perfectly fine - even more, some settings might even
+        raise eyebrows left and right. We'll try to document the reasoning behind
+        the settings but you are free to deviate from them. If that is the case,
+        you might want to create your own profile which only contains the rules 
+        you want checked. You can then use that profile instead of the Default one.
+      </description>
+    </Group>
+    <Group id="xccdf_org.gentoo.dev.swift_group_intro-profiles">
+      <title>Available XCCDF Profiles</title>
+      <description>
+        As mentioned earlier, the XCCDF document supports multiple profiles. For the time
+        being, one profile is defined:
+        <h:br/>
+        <h:ul>
+          <h:li>Default contains all mentioned tests</h:li>
+        </h:ul>
+        Substitute the profile information in the commands above with the profile you want to test on.
+      </description>
+    </Group>
+  </Group>
+  <Group id="xccdf_org.gentoo.dev.swift_group_config">
+    <title>Configuration Settings</title>
+    <description>
+      In this section, we look at the configuration settings of an OpenSSH service
+    </description>
+    <Group id="xccdf_org.gentoo.dev.swift_group_config-default">
+      <title>Default OpenSSH settings</title>
+      <description>
+        OpenSSH comes with some sane defaults to start with. These should not be touched.
+      </description>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhosts">
+        <title>Ignore Rhosts</title>
+        <description>
+          Historically, users could define a <h:code>.rhosts</h:code> or <h:code>.shosts</h:code>
+          file in which they mention the systems from which they log on to the system (the client
+          hosts). When the user then logs on from one of these remote locations, the shell service
+          would not ask for password authentication and just automatically log in the user.
+          <h:br/>
+          <h:br/>
+          The shell service treats <h:code>.shosts</h:code> mentioned hosts a bit different: it first
+          checks that hosts identity using some public key authentication scheme (in which case the
+          host keys of the clients are placed in <h:code>/etc/ssh/ssh_known_hosts</h:code> or
+          <h:code>~/.ssh/known_hosts</h:code>).
+          <h:br/>
+          <h:br/>
+          This is however a very insecure setup and can be easily circumvented. It only performs 
+          host-based authentication, not user authentication, and in case of the <h:code>.rhosts</h:code>
+          file this host-based authentication is only based on the hostname/IP matching. 
+          <h:br/>
+          <h:br/>
+          For this reason, support for the <h:code>.rhosts</h:code> and <h:code>.shosts</h:code>
+          files is by default disabled.
+          <h:br/>
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : IgnoreRhosts
+# If set, IgnoreRhosts must be set to yes (which is the default)
+IgnoreRhosts yes</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-rhosts -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rhosts" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^IgnoreRhosts.*no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:8" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-rhosts -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-rhostsrsa">
+        <title>Do not allow RSA Host Authentication</title>
+        <description>
+          As part of the Rhosts implementation, OpenSSH supports using RSA authentication for remote hosts.
+          With RSA authentication enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+          files need to be authenticated based on their RSA key. This applies to the SSH protocol version 1 only.
+          <h:br/>
+          <h:br/>
+          As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+          this option is by default disabled.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : RhostsRSAAuthentication
+# If set, RhostsRSAAuthentication must be set to "no" (which is the default).
+RhostsRSAAuthentication no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-rrsa -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-rrsa" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^RhostsRSAAuthentication.*yes</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:9" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-rrsa -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-hostbased">
+        <title>Do not allow Host-based Authentication</title>
+        <description>
+          As part of the Rhosts implementation, Ope SSH supports using public key authenticatoin for remote hosts.
+          With this enabled, hosts mentioned in the <h:code>.rhosts</h:code> (or <h:code>/etc/hosts.equiv</h:code>)
+          files need to be authenticated based on their public key. This applies to the SSH protocol version 2 only.
+          <h:br/>
+          <h:br/>
+          As Rhosts is found insecure, this option does not make rhosts more feasible to use. For this reason,
+          this option is by default disabled.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : HostbasedAuthentication
+# If set, HostbasedAuthentication must be set to "no" (which is the default) 
+HostbasedAuthentication no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-hostbased -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-hostbased" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^HostbasedAuthentication.*yes</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:10" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-hostbased -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-emptypassword">
+        <title>Do not Permit Empty Passwords</title>
+        <description>
+          If password-based authentication is used, it is wise not to allow empty passwords.
+          <h:br/>
+          <h:br/>
+          Allowing empty passwords within your network makes the services <h:em>very</h:em> vulnerable
+          to exploit, even when the software is fully up-to-date. 
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : PermitEmptyPasswords
+# If set, PermitEmptyPasswords must be set to "no" (which is the default).
+PermitEmptyPasswords no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-empty -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-empty" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^PermitEmptyPasswords.*yes</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:11" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-empty -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-pam">
+        <title>Use PAM</title>
+        <description>
+          PAM (Pluggable Authentication Modules) is a powerful framework for managing
+          authentication of users and services in a flexible manner. By default, OpenSSH
+          uses PAM for the authentication of users.
+          <h:br/>
+          <h:br/>
+          One of the many advantages of PAM is that you can add in additional rules you want
+          to enforce during the authentication. You can limit access based on login count (or number of failures),
+          use centralized authentication repositories (like OpenLDAP), allow access only during specific
+          time windows, etc.
+          <h:br/>
+          <h:br/>
+          It is strongly advised to use PAM for SSH authentication too (but do manage the PAM configuration
+          properly!) Be aware though that the authentication services themselves (is the user who he sais
+          he is) of PAM are not used if public key authentication is used. The other services, which include
+          the access controls mentioned earlier, are still consulted though.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : UsePAM
+# If set, UsePAM must be set to "yes" (which is the default)
+UsePAM yes</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-pam -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-pam" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePAM.*no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:12" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-pam -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-protocol2">
+        <title>Only use version 2 of the SSH protocol</title>
+        <description>
+          The first version of the SSH protocol has been found insecure: TODO.
+          <h:br/>
+          <h:br/>
+          For this reason, it is strongly advised to use version 2 of the protocol only. This is also
+          the default for OpenSSH.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : Protocol
+# If set, Protocol must be set to 2 only (which is the default)
+Protocol 2</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-def-protocol -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-protocol" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^Protocol.*1</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:13" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-protocol -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-privsep">
+        <title>Use privilege separation</title>
+	<description>
+	  With privilege separation enabled, the SSH daemon has a tiny footprint running as root,
+	  whereas the rest of the application runs as an unprivileged process to deal with the
+	  incoming network traffic. This can be tuned with <h:code>UsePrivilegeSeparation yes</h:code>
+	  which is the default for OpenSSH.
+	  <h:br/>
+	  <h:pre>### /etc/ssh/sshd_config : UsePrivilegeSeparation
+# If set, UsePrivilegeSeparation must be set to yes (which is the default)
+UsePrivilegeSeparation yes</h:pre>
+	</description>
+        <!-- @@GEN START rule-sshd-def-useprivsep -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-useprivsep" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^UsePrivilegeSeparation.*no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:14" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-def-useprivsep -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-x11fwd">
+        <title>Disable X11 forwarding</title>
+	<description>
+	  SSH supports forwarding X11 packets, so X11 applications started on the remote system have their
+	  display shown on the client. This behavior is by default disabled.
+	  <h:br/>
+	  <h:pre>### /etc/ssh/sshd_config : X11Forwarding
+# If set, X11Forwarding must be set to no (which is the default)
+X11Forwarding no</h:pre>
+	</description>
+	<!-- @@GEN START rule-sshd-def-nox11fwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-nox11fwd" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^X11Forwarding.*yes</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:15" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+	<!-- @@GEN END rule-sshd-def-nox11fwd -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-default-strictmode">
+        <title>Enable strict mode</title>
+	<description>
+	  When <h:code>StrictModes yes</h:code> is enabled, the SSH daemon will only allow a remote user to
+	  log on when some of the important files in that users' home directory have the proper privileges and
+	  ownership. This behavior is by default enabled.
+	  <h:br/>
+	  <h:pre>### /etc/ssh/sshd_config : StrictModes
+# If set, StrictModes must be set to yes (which is the default)
+StrictModes yes</h:pre>
+	</description>
+	<!-- @@GEN START rule-sshd-def-strictmode -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-def-strictmode" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^StrictMode.*no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:16" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+	<!-- @@GEN END rule-sshd-def-strictmode -->
+      </Group>
+    </Group>
+    <Group id="xccdf_org.gentoo.dev.swift_group_config-auth">
+      <title>Authentication-related settings</title>
+      <description>
+        Being a remote shell service, authentication is one of the main features that OpenSSH provides. 
+        A few settings help us in hardening the SSH server even further.
+      </description>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-noroot">
+        <title>Disable root logins</title>
+        <description>
+          As root is one of the most powerful accounts, direct access to root should be limited. It is 
+          advised that, if a process needs root privileges, it uses a functional account which has the
+          right to call one or a few commands as root, but nothing else.
+          <h:br/>
+          <h:br/>
+          With OpenSSH, it is possible to prohibit direct root access towards the system if feasible within
+          your architecture. This can be accomplished using the <h:code>PermitRootLogin no</h:code> directive.
+          If you need root logins, consider only allowing specified command access (forced-commands-only).
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : PermitRootLogin
+# Set this to "no" or, if needed, "forced-commands-only"
+PermitRootLogin no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-norootlogin -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-norootlogin" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^PermitRootLogin no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:1" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-norootlogin -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nopassword">
+        <title>Use public key authentication</title>
+        <description>
+          By default, OpenSSH uses interactive, keyboard-based password logins. One intrinsic problem with
+          passwords is that they can be weak, but also that hacked passwords can be used from other locations.
+          <h:br/>
+          <h:br/>
+          A safer approach for remote shell invocation is to use a keypair: the key is much stronger than most
+          passwords, making brute-force improbably and dictionary-attacks useless. The private key is only
+          known by you (on your system) and optionally (but preferably) protected by a (strong) passphraze so that
+          adversaries that force access to your system can still not use your private key.
+          <h:br/>
+          <h:br/>
+          Such a keypair an be generated by the users using <h:b>ssh-keygen -t dsa</h:b> after which the private and
+          public keys are stored in <h:code>~/.ssh</h:code>
+          <h:br/>
+          <h:br/>
+          On the OpenSSH server level, you can force the use of public key authentication (and thus deny
+          keyboard-interactive password logins) using <h:code>PasswordAuthentication no</h:code>.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : PasswordAuthentication
+# Set this to "no"
+PasswordAuthentication no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-nopasswordauth -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nopasswordauth" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^PasswordAuthentication no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:2" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-nopasswordauth -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-auth-nochallengeresponse">
+        <title>Disable ChallengeResponseAuthentication</title>
+        <description>
+	  In OpenSSH, a (confusing) parameter called <h:code>ChallengeResponseAuthentication</h:code>
+	  is available (and by default enabled). Many users might believe that this implements a more secure
+	  authentication method (based on a challenge and a token that need to be verified - i.e. multi-factor
+	  authentication). However, in case of this parameter, this isn't true.
+          <h:br/>
+	  <h:br/>
+	  The <h:code>ChallengeResponseAuthentication</h:code> setting enables <h:em>TIS Challenge/Response</h:em>
+	  in SSH protocol version 1, and keyboard-interactive in SSH protocol v2. Hence, in our case, it is best
+	  set disabled as we do not want regular password authentication to be enabled (and don't use protocol
+	  version 1).
+	  <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : ChallengeResponseAuthentication
+# Set this to "no"
+ChallengeResponseAuthentication no</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-nochallengeresponse -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-nochallengeresponse" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^ChallengeResponseAuthentication no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:3" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-nochallengeresponse -->
+      </Group>
+    </Group>
+    <Group id="xccdf_org.gentoo.dev.swift_group_config-acl">
+      <title>Access control related settings</title>
+      <description>
+        By default, OpenSSH allows access from any location and by any user who gets authenticated properly.
+        However, it is safer if you can restrict access from hosts that are allowed to access the SSH service
+        (and not other hosts) as well as users that are known to access the system remotely.
+      </description>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-allowgroup">
+        <title>Only allow specific group(s) access</title>
+        <description>
+          Not every user on your system needs to be able to remotely log on to the system. Many
+          users on your system are local-only, either because they are services accounts, or
+          because the users are only meant to log on directly (or through another service).
+          <h:br/>
+          <h:br/>
+          With OpenSSH, you can limit SSH access to users defined in a limited set of (Unix) groups.
+          It is recommended to define a Unix group (like <h:code>ssh</h:code> if that isn't used by the
+          service daemon itself) in which those users are defined, and then only allow SSH access
+          for this group.
+          <h:br/>
+          <h:pre>### /etc/ssh/sshd_config : AllowGroup
+# Set this to the unix group whose members are allowed access
+AllowGroup ssh</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-allowgroup -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-allowgroup" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^AllowGroup</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:5" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-allowgroup -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-hosts">
+        <title>Only allow specific host(s) access</title>
+        <description>
+          Not every host on your network (or beyond) needs access to your system. On the contrary, most
+          hosts probably shouldn't have SSH access to your system.
+          <h:br/>
+          <h:br/>
+          With a service called <h:em>tcpwrappers</h:em> OpenSSH allows administrators to define the hosts
+          allowed access (or explicitly not allowed access) in the <h:code>/etc/hosts.allow</h:code> and
+          <h:code>/etc/hosts.deny</h:code>.
+          <h:br/>
+          <h:br/>
+          For a good secure setting, it is recommended to disallow access from any host, and then explicitly grant
+          access from a select set of hosts (or subnetworks).
+          <h:br/>
+          <h:pre>### /etc/hosts.allow
+# Give the list of allowed hosts or networks
+sshd: 192.168.1.0/24</h:pre><h:br/>
+          <h:pre>### /etc/hosts.deny
+# Deny access by default from everywhere
+sshd: ALL</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-hostsallow -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsallow" selected="false">
+  <title>file /etc/hosts.allow must have a line that matches ^sshd:</title>
+  <description>file /etc/hosts.allow must have a line that matches ^sshd:</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:6" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-hostsallow -->
+        <!-- @@GEN START rule-sshd-hostsdeny -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-hostsdeny" selected="false">
+  <title>file /etc/hosts.deny must have a line that matches ^sshd: ALL</title>
+  <description>file /etc/hosts.deny must have a line that matches ^sshd: ALL</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:7" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-hostsdeny -->
+      </Group>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-acl-listen">
+        <title>Only listen on proper interfaces</title>
+        <description>
+          By default, OpenSSH listens on all available interfaces. In many cases though, this isn't necessary.
+          <h:br/>
+          <h:br/>
+          Multihomed systems (i.e. systems with multiple network interfaces) usually only use a single interface
+          for the administrative access, whereas the other interface is to connect to the Internet or disclose the
+          "business applications".
+          <h:br/>
+          <h:br/>
+          On dual stack systems (i.e. systems with an IPv4 and IPv6 stack) the IPv6 (or IPv4) address might not be
+          in use, or not for the administrative access (like through OpenSSH). In these cases, it is wise not to have
+          OpenSSH listen on these addresses either.
+          <h:br/>
+          <h:pre>## /etc/ssh/sshd_config : ListenAddress
+# Define a ListenAddress, but do not set it to "any address"
+# (which is 0.0.0.0 in IPv4 and :: in IPv6)
+ListenAddress 192.168.100.121</h:pre>
+        </description>
+        <!-- @@GEN START rule-sshd-listen -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^ListenAddress</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:19" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-listen -->
+        <!-- @@GEN START rule-sshd-listen4 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen4" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress.*0.0.0.0</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:17" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-listen4 -->
+        <!-- @@GEN START rule-sshd-listen6 -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-listen6" selected="false">
+  <title>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</title>
+  <description>file /etc/ssh/sshd_config may not have a line that matches ^ListenAddress[ ]*::$</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:18" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+        <!-- @@GEN END rule-sshd-listen6 -->
+      </Group>
+    </Group>
+    <Group id="xccdf_org.gentoo.dev.swift_group_config-use">
+      <title>Disable unused settings</title>
+      <description>
+        OpenSSH has a few more options that it supports. If you, however, have no need for these options,
+	it is safer to have them disabled. Potential vulnerabilities that might be discovered later on these
+	options then have no effect on your system.
+      </description>
+      <Group id="xccdf_org.gentoo.dev.swift_group_config-use-tcpfwd">
+        <title>Disable TCP forwarding</title>
+	<description>
+	  SSH supports "tunneling", where packets are forwarded over a (partially) secure channel towards
+	  another location. If you do not need this, disable TCP forwarding through <h:code>AllowTcpForwarding no</h:code>
+	  <h:br/>
+	  <h:pre>### /etc/ssh/sshd_config : AllowTcpForwarding
+# If not needed, disable TCP forwarding
+AllowTcpForwarding no</h:pre>
+	</description>
+	<!-- @@GEN START rule-sshd-notcpfwd -->
+<Rule id="xccdf_org.gentoo.dev.swift_rule_sshd-notcpfwd" selected="false">
+  <title>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</title>
+  <description>file /etc/ssh/sshd_config must have a line that matches ^AllowTcpForwarding.*no</description>
+  <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+    <check-content-ref name="oval:org.gentoo.dev.swift:def:20" href="openssh-oval.xml"/>
+  </check>
+</Rule>
+	<!-- @@GEN END rule-sshd-notcpfwd -->
+      </Group>
+    </Group>
+  </Group>
+</Benchmark></ds:component><ds:component id="scap_org.open-scap_comp_gentoo-oval.xml" timestamp="2013-09-23T20:37:59"><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:lin-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:unix-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:ind-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xsi:schemaLocation="                 http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd                 http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd                 http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd                 http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
  independent-definitions-schema.xsd                 http://standards.iso.org/iso/19770/-2/2009/schema.xsd schema.xsd">
+
+<generator>
+  <oval:product_name>OVAL Gentoo Linux</oval:product_name>
+  <oval:product_version>20130917.1</oval:product_version>
+  <oval:schema_version>5.10</oval:schema_version>
+  <oval:timestamp>2013-09-17T19:42:00</oval:timestamp>
+</generator>
+  
+<definitions>
+
+  <definition id="oval:org.gentoo.dev.swift:def:1" version="1" class="inventory">
+    <metadata>
+      <title>Gentoo Linux is installed</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests whether Gentoo Linux is installed.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:1" comment="The /etc/gentoo-release file exists"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:2" version="1" class="compliance">
+    <metadata>
+      <title>The /home location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14559-9"/>
+      <description>
+        This definition tests whether the /home location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:3" version="1" class="compliance">
+    <metadata>
+      <title>The /home file system is mounted with the nosuid option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests whether the /home partition is mounted with the nosuid 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:3" comment="The /home partition is mounted with nosuid mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:4" version="1" class="compliance">
+    <metadata>
+      <title>The /home file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests whether the /home partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:2" comment="The /home location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:4" comment="The /home partition is mounted with nodev mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:5" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14161-4"/>
+      <description>
+        This definition tests whether the /tmp location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:6" version="1" class="compliance">
+    <metadata>
+      <title>The /var location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14777-7"/>
+      <description>
+        This definition tests whether the /var location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:7" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14011-1"/>
+      <description>
+        This definition tests whether the /var/log location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:8" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log/audit location must be a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14171-3"/>
+      <description>
+        This definition tests whether the /var/log/audit location is a separate file
+        system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:9" version="1" class="compliance">
+    <metadata>
+      <title>The /var file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:6" comment="The /var location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:9" comment="The /var partition is mounted with nodev mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:10" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var/log partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:7" comment="The /var/log location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:10" comment="The /var/log partition is mounted with nodev mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:11" version="1" class="compliance">
+    <metadata>
+      <title>The /var/log/audit file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /var/log/audit partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:8" comment="The /var/log/audit location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:11" comment="The /var/log/audit partition is mounted with nodev mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:12" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the nodev option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4249-9"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the nodev 
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:12" comment="The /tmp partition is mounted with nodev mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:13" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the nosuid option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14940-1"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the nosuid
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:13" comment="The /tmp partition is mounted with nosuid mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:14" version="1" class="compliance">
+    <metadata>
+      <title>The /dev/shm file system is mounted with the nosuid option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14306-5"/>
+      <description>
+        This definition tests whether the /dev/shm partition is mounted with the nosuid
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:15" comment="The /dev/shm file system is mounted with nosuid mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:15" version="1" class="compliance">
+    <metadata>
+      <title>The /tmp file system is mounted with the noexec option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14927-8"/>
+      <description>
+        This definition tests whether the /tmp partition is mounted with the noexec
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:5" comment="The /tmp location is on a separate partition"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:16" comment="The /tmp partition is mounted with noexec mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:16" version="1" class="compliance">
+    <metadata>
+      <title>The /dev/shm file system is mounted with the noexec option</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14703-3"/>
+      <description>
+        This definition tests whether the /dev/shm partition is mounted with the noexec
+        mount option.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:14" comment="The /dev/shm location is a separate file system"/>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:17" comment="The /dev/shm file system is mounted with nosuid mount option"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:17" version="1" class="compliance">
+    <metadata>
+      <title>The /var/tmp location is on a separate file system</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-14584-7"/>
+      <description>
+        This definition tests whether the /var/tmp location is on its own file system.
+      </description>
+    </metadata>
+    <criteria operator="AND">
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:18" comment="The /var/tmp location is a separate file system"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:18" version="1" class="compliance">
+    <metadata>
+      <title>The kernel is build with quota support (CONFIG_QUOTA)</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests whether the Linux kernel is build with quota support (CONFIG_QUOTA).
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:19" comment="The Linux kernel is build with CONFIG_QUOTA"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:19" version="1" class="compliance">
+    <metadata>
+      <title>No process matching "telnetd" is running</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-3390-2"/>
+      <description>
+        This definition tests if no telnet daemon processes are running.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:20" comment="No telnet daemons are running"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:20" version="1" class="compliance">
+    <metadata>
+      <title>No process matching "ftpd" is running</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4273-9"/>
+      <description>
+        This definition tests if no FTP daemon processes are running.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:21" comment="No FTP daemons are running"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:21" version="1" class="compliance">
+    <metadata>
+      <title>rc.conf's rc_shell should be set to /sbin/sulogin</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6"/>
+      <description>
+        This definition tests if rc_shell in /etc/rc.conf is set to /sbin/sulogin, ensuring
+        that single user boots still require the root password to be provided.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:22" comment="/etc/rc.conf rc_shell is set to /sbin/sulogin"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:22" version="1" class="compliance">
+    <metadata>
+      <title>Single user definitions in inittab should only refer to '/sbin/rc single' or '/sbin/sulogin'</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <reference source="CCE" ref_url="http://nvd.nist.gov/cce/index.cfm" ref_id="CCE-4241-6"/>
+      <description>
+        This definition tests if /etc/inittab single user login settings only refers
+        to '/sbin/rc single' or '/sbin/sulogin'.
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:23" comment="/etc/inittab single user settings refers only to '/sbin/rc single' or '/sbin/sulogin'"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:23" version="1" class="compliance">
+    <metadata>
+      <title>Verify that /etc/hosts.allow exists</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests if /etc/hosts.allow exists. 
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:24" comment="/etc/hosts.allow exists"/>
+    </criteria>
+  </definition>
+
+  <definition id="oval:org.gentoo.dev.swift:def:24" version="1" class="compliance">
+    <metadata>
+      <title>Verify that /etc/at/at.allow exists</title>
+      <affected family="unix">
+        <platform>Gentoo Linux</platform>
+      </affected>
+      <description>
+        This definition tests if /etc/at/at.allow exists. 
+      </description>
+    </metadata>
+    <criteria>
+      <criterion test_ref="oval:org.gentoo.dev.swift:tst:25" comment="/etc/at/at.allow exists"/>
+    </criteria>
+  </definition>
+
+</definitions>
+
+<tests>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:1" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/gentoo-release exists">
+    <!-- /etc/gentoo-release file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:1"/>
+  </unix-def:file_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:2" version="1" check="all" check_existence="all_exist" comment="Tests that /home is a separate file system">
+    <!-- /home partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:3" version="1" check="all" check_existence="all_exist" comment="Tests that /home is mounted with nosuid option">
+    <!-- /home partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+    <!-- "nosuid" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:4" version="1" check="all" check_existence="all_exist" comment="Tests that /home is mounted with nodev option">
+    <!-- /home partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:2"/>
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:5" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is a separate file system">
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:6" version="1" check="all" check_existence="all_exist" comment="Tests that /var is a separate file system">
+    <!-- /var partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:7" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log is a separate file system">
+    <!-- /var/log partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:8" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log/audit is a separate file system">
+    <!-- /var/log/audit partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:9" version="1" check="all" check_existence="all_exist" comment="Tests that /var is mounted with nodev option">
+    <!-- /var partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:4"/>
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:10" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log is mounted with nodev option">
+    <!-- /var/log partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:5"/>
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:11" version="1" check="all" check_existence="all_exist" comment="Tests that /var/log/audit is mounted with nodev option">
+    <!-- /var/log/audit partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:6"/>
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:12" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with nodev option">
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+    <!-- "nodev" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:2"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:13" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with nosuid option">
+    <!-- /tmp partition -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+    <!-- "nosuid" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:14" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is a separate file system">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:15" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is mounted with nosuid option">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+    <!-- "nosuid" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:1"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:16" version="1" check="all" check_existence="all_exist" comment="Tests that /tmp is mounted with noexec option">
+    <!-- /tmp file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:3"/>
+    <!-- "noexec" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:17" version="1" check="all" check_existence="all_exist" comment="Tests that /dev/shm is mounted with noexec option">
+    <!-- /dev/shm file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:7"/>
+    <!-- "noexec" mount option -->
+    <lin-def:state state_ref="oval:org.gentoo.dev.swift:ste:3"/>
+  </lin-def:partition_test>
+
+  <lin-def:partition_test id="oval:org.gentoo.dev.swift:tst:18" version="1" check="all" check_existence="all_exist" comment="Tests that /var/tmp is on its own file system">
+    <!-- /var/tmp file system -->
+    <lin-def:object object_ref="oval:org.gentoo.dev.swift:obj:8"/>
+  </lin-def:partition_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:19" version="2" check="all" check_existence="at_least_one_exists" comment="Tests that CONFIG_QUOTA is in the kernel configuration">
+    <!-- The file containing kernel configuration matching CONFIG_QUOTA -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:9"/>
+    <!-- Match for "^CONFIG_QUOTA=[ym]" -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:4"/>
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:20" version="1" check="all" check_existence="none_exist" comment="Tests that no telnet daemons are running">
+    <!-- Process matching "telnetd" -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:10"/>
+  </unix-def:process58_test>
+
+  <unix-def:process58_test id="oval:org.gentoo.dev.swift:tst:21" version="1" check="all" check_existence="none_exist" comment="Tests that no FTP daemons are running">
+    <!-- Process matching "ftpd" -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:11"/>
+  </unix-def:process58_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:22" version="1" check="at least one" check_existence="all_exist" comment="Tests that rc_shell in /etc/rc.conf is set to /sbin/sulogin">
+    <!-- The variable settings in /etc/rc.conf -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:12"/>
+    <!-- Match for rc_shell=/sbin/sulogin -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:5"/>
+  </ind-def:textfilecontent54_test>
+
+  <ind-def:textfilecontent54_test id="oval:org.gentoo.dev.swift:tst:23" version="1" check="all" check_existence="at_least_one_exists" comment="Tests that single-user boot only triggers '/sbin/rc single' or '/sbin/sulogin'">
+    <!-- The single-user boot rules in /etc/inittab -->
+    <ind-def:object object_ref="oval:org.gentoo.dev.swift:obj:13"/>
+    <!-- The '/sbin/rc single' or '/sbin/sulogin' matches -->
+    <ind-def:state state_ref="oval:org.gentoo.dev.swift:ste:6"/>
+  </ind-def:textfilecontent54_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:24" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/hosts.allow exists">
+    <!-- The /etc/hosts.allow file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:14"/>
+  </unix-def:file_test>
+
+  <unix-def:file_test id="oval:org.gentoo.dev.swift:tst:25" version="1" check="all" check_existence="all_exist" comment="Tests that /etc/at/at.allow exists">
+    <!-- The /etc/at/at.allow file -->
+    <unix-def:object object_ref="oval:org.gentoo.dev.swift:obj:15"/>
+  </unix-def:file_test>
+
+</tests>
+
+<objects>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:1" version="1" comment="The /etc/gentoo-release file">
+    <unix-def:filepath>/etc/gentoo-release</unix-def:filepath>
+  </unix-def:file_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:2" version="1" comment="The /home partition">
+    <lin-def:mount_point>/home</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:3" version="1" comment="The /tmp partition">
+    <lin-def:mount_point>/tmp</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:4" version="1" comment="The /var partition">
+    <lin-def:mount_point>/var</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:5" version="1" comment="The /var/log partition">
+    <lin-def:mount_point>/var/log</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:6" version="1" comment="The /var/log/audit partition">
+    <lin-def:mount_point>/var/log/audit</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:7" version="1" comment="The /dev/shm file system">
+    <lin-def:mount_point>/dev/shm</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <lin-def:partition_object id="oval:org.gentoo.dev.swift:obj:8" version="1" comment="The /var/tmp file system">
+    <lin-def:mount_point>/var/tmp</lin-def:mount_point>
+  </lin-def:partition_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:9" version="2" comment="The file containing kernel configuration CONFIG_QUOTA">
+    <ind-def:filepath>/usr/src/linux/.config</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">CONFIG_QUOTA.*</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:10" version="1" comment="Process matching telnetd in its command name">
+    <unix-def:command_line operation="pattern match">.*[Tt][Ee][Ll][Nn][Ee][Tt][Dd].*</unix-def:command_line>
+    <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+  </unix-def:process58_object>
+
+  <unix-def:process58_object id="oval:org.gentoo.dev.swift:obj:11" version="1" comment="Process matching ftpd in its command name">
+    <unix-def:command_line operation="pattern match">.*[Ff][Tt][Pp][Dd].*</unix-def:command_line>
+    <unix-def:pid datatype="int" operation="greater than">0</unix-def:pid>
+  </unix-def:process58_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:12" version="1" comment="The /etc/rc.conf variable declarations">
+    <ind-def:filepath>/etc/rc.conf</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^[[:space:]]*[\S]+[[:space:]]*=[[:space:]]*[\S]+</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <ind-def:textfilecontent54_object id="oval:org.gentoo.dev.swift:obj:13" version="1" comment="The /etc/inittab contents">
+    <ind-def:filepath>/etc/inittab</ind-def:filepath>
+    <ind-def:pattern operation="pattern match">^[\S]+:S:[\S]+:.*</ind-def:pattern>
+    <ind-def:instance operation="greater than or equal" datatype="int">1</ind-def:instance>
+  </ind-def:textfilecontent54_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:14" version="1" comment="The /etc/hosts.allow file">
+    <unix-def:filepath>/etc/hosts.allow</unix-def:filepath>
+  </unix-def:file_object>
+
+  <unix-def:file_object id="oval:org.gentoo.dev.swift:obj:15" version="1" comment="The /etc/at/at.allow file">
+    <unix-def:filepath>/etc/at/at.allow</unix-def:filepath>
+  </unix-def:file_object>
+
+</objects>
+
+<states>
+
+  <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:1" version="1" comment="The file system is mounted with the nosuid mount option">
+    <lin-def:mount_options entity_check="at least one">nosuid</lin-def:mount_options>
+  </lin-def:partition_state>
+
+  <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:2" version="1" comment="The file system is mounted with the nodev mount option">
+    <lin-def:mount_options entity_check="at least one">nodev</lin-def:mount_options>
+  </lin-def:partition_state>
+
+  <lin-def:partition_state id="oval:org.gentoo.dev.swift:ste:3" version="1" comment="The file system is mounted with the noexec mount option">
+    <lin-def:mount_options entity_check="at least one">noexec</lin-def:mount_options>
+  </lin-def:partition_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:4" version="1" comment="Matching ^CONFIG_QUOTA=[ym]">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">^CONFIG_QUOTA=[ym]</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:5" version="1" comment="Matching rc_shell=/sbin/sulogin">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">rc_shell[[:space:]]*=[[:space:]]*["]?/sbin/sulogin["]?</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
+  <ind-def:textfilecontent54_state id="oval:org.gentoo.dev.swift:ste:6" version="1" comment="Single user boot lines may only match '/sbin/rc single' or '/sbin/sulogin'">
+    <ind-def:text datatype="string" operation="pattern match" entity_check="all">su[[:digit:]]+:S:[\S]+:(/sbin/rc single|/sbin/sulogin)</ind-def:text>
+  </ind-def:textfilecontent54_state>
+
+</states>
+
+<!--
+<variables>
+</variables>
+-->
+</oval_definitions></ds:component><ds:component id="scap_org.open-scap_comp_gentoo-cpe.xml" timestamp="2013-09-17T20:21:19"><cpe-list xmlns="http://cpe.mitre.org/dictionary/2.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
+  <cpe-item name="cpe:/o:gentoo:linux">
+    <title>Gentoo Linux</title>
+    <notes>
+      <note>This CPE Name represents Gentoo Linux</note>
+    </notes>
+    <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="gentoo-oval.xml">oval:org.gentoo.dev.swift:def:1</check>
+  </cpe-item>
+</cpe-list></ds:component></ds:data-stream-collection>