You are entirely right. This is being worked.
The only reason the RHEL 5 CCEs are currently in the content is to facilitate their easy replacement with RHEL 6 ones (if a mapping is provided), once they are available.
This transform was provided in order to enable correction of the ones that are simply wrong (as in wrong semantically, and not just with regard to version mismatch): http://people.redhat.com/swells/scap-security-guide/RHEL6/output/rhel6-table...
On 08/31/2012 06:04 PM, Steinke, Leland J CTR DISA FSO (US) wrote:
I'm certain others will correct me if I am wrong, but...
CCEs should not be shared between successive generations of operating system software. I just did a quick compare of the CCEs for RHEL5 and RHEL4 and the CCE IDs do not overlap. The only RHEL4 CCE corresponding to the RHEL5 /etc/*shadow permissions CCEs is CCE-5735-6 for /etc/shadow perms; there is no RHEL4 CCE referencing /etc/gshadow perms.
I cannot find a specific FAQ entry or explanation, beyond 'A CCE "platform group" roughly identifies the operating system or application to which a CCE entry applies' in several places on cce.mitre.org.
Regards, -- Leland Steinke, Security+ DISA FSO Technical Support Contractor tapestry technologies, llc 717-267-5797 (DSN 570) leland.j.steinke.ctr@mail.mil (gov't) lsteinke@tapestrytech.com (com'l)
-----Original Message----- From: scap-security-guide-bounces@lists.fedorahosted.org [mailto:scap-security-guide-bounces@lists.fedorahosted.org] On Behalf Of Jeffrey Blank Sent: Friday, August 31, 2012 5:14 PM To: scap-security-guide@lists.fedorahosted.org Subject: Re: /etc/shadow and gshadow mode 0400 or 0?
Just to add: CCEs don't actually require anything in themselves. Technically, the CCE serves only to indicate that we are talking about the permissions on that file (and perhaps provide a selection of choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
_______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide