Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/nfs.xml | 10 +++++++ RHEL6/input/system/accounts/physical.xml | 26 ++++++++++---------- .../accounts/restrictions/password_expiration.xml | 2 +- 3 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 31e17c3..758c494 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -226,6 +226,11 @@ See the section titled "Restrict Partition Mount Options" for a description of t <Rule id="use_nodev_option_on_nfs_mounts"> <title>Mount Remote Filesystems with nodev</title> <description>The <tt>nodev</tt> option should be enabled for all NFS mounts</description> +<ocil clause="the setting does not show"> +To verify that the <tt>nodev</tt> option is configured for all NFS mounts, run the following command: +<pre>$ mount | grep nfs</pre> +All NFS mounts should show the <tt>nodev</tt> setting in parentheses. +</ocil> <rationale>Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.</rationale> <ident cce="4368-7" /> @@ -235,6 +240,11 @@ should not present device files to users.</rationale> <Rule id="use_nosuid_option_on_nfs_mounts"> <title>Mount Remote Filesystems with nosuid</title> <description>The <tt>nosuid</tt> option should be enabled for all NFS mounts</description> +<ocil clause="the setting does not show"> +To verify that the <tt>nosuid</tt> option is configured for all NFS mounts, run the following command: +<pre>$ mount | grep nfs</pre> +All NFS mounts should show the <tt>nosuid</tt> setting in parentheses. +</ocil> <rationale>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.</rationale> <ident cce="4024-6" /> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 11ddc1b..25b326c 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -220,10 +220,9 @@ desktop lockout should be 15 minutes. --set /apps/gnome-screensaver/idle_delay 15</pre> </description> <ocil clause="it is not"> -To check the current idle time-out value, open the following -file:<pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the -<tt>idle_delay</tt> schema. If properly configured, the value -should be <tt>15</tt>. +To check the current idle time-out value, run the following command: +<pre>$ gconftool-2 -g /apps/gnome-screensaver/idle_delay</pre> +If properly configured, the output should be <tt>15</tt>. </ocil> <rationale> Setting the idle delay controls when the @@ -244,10 +243,9 @@ enabled --type bool \ --set /apps/gnome-screensaver/idle_activation_enabled true</pre> </description> -<ocil>To check the screensaver mandatory use status, open the following file: -<pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> -Search for the <tt>idle_activation_enabled</tt> schema. -If properly configured, the <tt>default</tt> value should be <tt>TRUE</tt>. If it is not, this is a finding. +<ocil clause="it is not">To check the screensaver mandatory use status, run the following command: +<pre>$ gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled</pre> +If properly configured, the output should be <tt>true</tt>. </ocil> <rationale> Enabling idle activation of the screen saver ensures that the @@ -267,7 +265,10 @@ enabled. --type bool \ --set /apps/gnome-screensaver/lock_enabled true</pre> </description> -<ocil>To check the status of the idle screen lock activation, open the following file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the <tt>lock_enabled</tt> schema. If properly configured, the <tt>default</tt> value should be <tt>TRUE</tt>. If it is not, this is a finding. +<ocil clause="it is not"> +To check the status of the idle screen lock activation, run the following command: +<pre>$ gconftool-2 -g /apps/gnome-screensaver/lock_enabled</pre> +If properly configured, the output should be <tt>true</tt>. </ocil> <rationale> Enabling the activation of the screen lock after an idle period @@ -290,10 +291,9 @@ The screen saver should be blank. --set /apps/gnome-screensaver/mode blank-only</pre> </description> <ocil clause="it is not"> -To ensure the screensaver is configured to be blank, open the following -file: <pre>/etc/gconf/schemas/gnome-screensaver.schemas</pre> Search for the -<tt>mode</tt> schema. If properly configured, the <tt>default</tt> value -should be <tt>blank-only</tt>. +To ensure the screensaver is configured to be blank, run the following command: +<pre>$ gconftool-2 -g /apps/gnome-screensaver/mode</pre> +If properly configured, the output should be <tt>blank-only</tt> </ocil> <rationale> Setting the screensaver mode to blank-only conceals the diff --git a/RHEL6/input/system/accounts/restrictions/password_expiration.xml b/RHEL6/input/system/accounts/restrictions/password_expiration.xml index 2512c37..3ac9f7a 100644 --- a/RHEL6/input/system/accounts/restrictions/password_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/password_expiration.xml @@ -171,7 +171,7 @@ environments. </description> <ocil clause="it is not set to the required value"> To check the password warning age, run the command: -<pre>$ grep PASS_WARN_DAYS /etc/login.defs</pre> +<pre>$ grep PASS_WARN_AGE /etc/login.defs</pre> A value of 7 days is sufficient for many environments. The DoD requirement is 7. </ocil>