Just to add: CCEs don't actually require anything in themselves. Technically, the CCE serves only to indicate that we are talking about the permissions on that file (and perhaps provide a selection of choices, from which baselines may select a requirement.)
http://cce.mitre.org/lists/cce_list.html
And thanks for the QA / improving the content!
On 08/31/2012 02:48 PM, Kenneth Stailey wrote:
Hi,
RHEL5 ships with /etc/shadow and gshadow set to mode 0400 while RHEL 6 uses mode 0 for those two files.
CCE-3932-1 and CCE-4130-1 require mode 0400.
Changing RHEL 6 to use 0400 causes CCE-14931 (verify files against RPM database) to flag /etc/shadow and gshadow as modified.
Is it better to change /etc/shadow and gshadow to 0400 or use the mode 0 that the files are distributed from Red Hat with?
Thanks _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide