This was all on purpose. Except the removal of the /var/log/cron file, which I had forgotten to take are of until now. It only existed as a vestige of some testing, and now is gone. The reasoning there is that requirements for /var/log will subsume any individual checks for files in that directory. A strategy for file permissions is being documented here (as part of the STIG consensus work): https://fedorahosted.org/scap-security-guide/wiki/STIGfileperms
The generation of OVAL checks for file permissions should be templated as much as possible. Note that I'm not saying the template is as good as it should be, however.
Please see earlier posts from Michael Palmiotto on why the IPv6 sysctl tests are not templated. This is to permit tests to pass if IPv6 is not active at all.
On 09/05/2012 05:43 PM, Kenneth Stailey wrote:
On Wed, Sep 5, 2012 at 5:09 PM, Kenneth Stailey kstailey.lists@gmail.com wrote:
On Wed, Sep 5, 2012 at 4:40 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
good to chat with you -- as we discussed, let's try updating the checks/templates/file_dir_permissions templates file for this (and for future file permission checks). (and then commit changes from the template list and also the resultant OVAL.)
Nice to talk with you too. Thanks for pointing out the templates directory. I've redone the change by updating the file_dir_permissions.csv file and generating the file_permissions_etc_gshadow.xml from that. I'll send this out as email.
Regarding templates, I noticed that RHEL6/input/checks/templates/file_dir_permissions.csv used to have /var/log,cron,0,0,0600, in it but not now, yet RHEL6/input/checks/file_permissions_var_log_cron.xml still exists and has a comment that it was generated from a template.
The same seems true for RHEL6/input/checks/templates/sysctl_values.csv once having net.ipv6.conf.default.accept_redirects but no more, yet generated file RHEL6/input/checks/templates/sysctl_net_ipv6_conf_default_accept_redirects.xml still exists. _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide