On 1/31/13 3:30 PM, Jeffrey Blank wrote:
Looks fine to me, just so long as you'd considered extending the
Common
profile (and then intentionally chosen not to use it).
To give us a solid starting point I wanted to create a profile which
held *only* the USGCB rules from RHEL5 and did not extend beyond them.
Regarding the note about cron permissions ("placeholder"),
they may have
been removed in favor of the systemwide RPM permissions check, though
I'll admit I don't recall precisely. Strategy was documented here:
https://fedorahosted.org/scap-security-guide/wiki/STIGfileperms The crontab files
themselves are user generated, they would not be
picked up with RPM verification. There is a section on this within the
SSG, however it's been commented out. Over the next few weeks I'll
revisit this.
Also, this is great stuff!
Seeing this come together shows how the content can be leveraged for two
baselines, which increases quality through vendor coordination, and
decreases government waste.
And of course, for any of our friends at NIST, the comments in the
profile make clear that this is really just a candidate for submission,
and not official yet :) But it's on its way.
Hmmm, do we have a transform that creates a table in line with what's
called for in NIST SP 800-70 Appendix E, for proper submission, sans
perhaps the "Impact" column (which lacks a corresponding XCCDF element).
Not yet.... and you have such amazing xslt skills.... hmm... ;)