Resolved a number of tickets with these.
David Smith (4): changed Rule to enable postfix changed LSM to SELinux changed unwieldy check command specified "-type f" for permissions check
RHEL6/input/auxiliary/alt-titles-stig.xml | 8 ++++---- RHEL6/input/services/mail.xml | 2 +- RHEL6/input/system/auditing.xml | 2 +- RHEL6/input/system/permissions/files.xml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/mail.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 9d226e3..88593aa 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -31,7 +31,7 @@ recommended to leave this service enabled for local mail delivery. <service-enable-macro service="postfix" /> </description> <ocil clause="the service is not enabled"> -<service-disable-check-macro service="postfix" /> +<service-enable-check-macro service="postfix" /> </ocil> <rationale>Local mail delivery is essential to some system maintenance and notification tasks.
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/auxiliary/alt-titles-stig.xml | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 3b9724d..655bfa8 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -108,16 +108,16 @@ The system must limit the ability of processes to have simultaneous write and ex The system must implement virtual address space randomization. </title> <title rule="enable_selinux_bootloader" shorttitle="Ensure SELinux Not Disabled in /etc/grub.conf"> -The system must use a Linux Security Module at boot time. +The system must use SELinux at boot time. </title> <title rule="set_selinux_state" shorttitle="Ensure SELinux State is Enforcing"> -The system must use a Linux Security Module configured to enforce limits on system services. +The system must use SELinux configured to enforce limits on system services. </title> <title rule="set_selinux_policy" shorttitle="Configure SELinux Policy"> -The system must use a Linux Security Module configured to limit the privileges of system services. +The system must use SELinux configured to limit the privileges of system services. </title> <title rule="selinux_unlabeled_device_files" shorttitle="Ensure No Device Files are Unlabeled by SELinux"> -All device files must be monitored by the system Linux Security Module. +All device files must be monitored by SELinux. </title> <title rule="restrict_root_console_logins" shorttitle="Restrict Virtual Console Root Logins"> The system must prevent the root account from logging in from virtual consoles.
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/auditing.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index 8479eec..d7e040f 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -689,7 +689,7 @@ Change the mode of the audit log files with the following command: </description> <ocil clause="any are more permissive"> Run the following command to check the mode of the system audit logs: -<pre>grep "^log_file" /etc/audit/auditd.conf|sed s/^[^/]*//|xargs stat -c %a:%n</pre> +<pre>ls -l /var/log/audit</pre> Audit logs must be mode 0640 or less permissive. </ocil> <rationale>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/permissions/files.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index e1db8c6..603a05d 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -202,7 +202,7 @@ its permission with the following command: <ocil clause="any of these files are group-writable or world-writable"> To find shared libraries that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains shared libraries: -<pre>$ find <i>DIR</i> -perm /022</pre> +<pre>$ find <i>DIR</i> -perm /022 -type f</pre> </ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at
On 3/11/13 1:09 PM, David Smith wrote:
Resolved a number of tickets with these.
David Smith (4): changed Rule to enable postfix changed LSM to SELinux changed unwieldy check command specified "-type f" for permissions check
RHEL6/input/auxiliary/alt-titles-stig.xml | 8 ++++---- RHEL6/input/services/mail.xml | 2 +- RHEL6/input/system/auditing.xml | 2 +- RHEL6/input/system/permissions/files.xml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-)
Thanks! Presumably you pushed these as bugfixes (and closed out the associated tickets on the wiki?).
As we go through the STIG feedback tickets, should we plan to include the ticket # in the git comments? I think this makes sense, and helps us correlate the two systems. What are your thoughts?
I did, and I agree with your thinking. I'll do that moving forward.
On Mon, Mar 11, 2013 at 1:31 PM, Shawn Wells shawn@redhat.com wrote:
On 3/11/13 1:09 PM, David Smith wrote:
Resolved a number of tickets with these.
David Smith (4): changed Rule to enable postfix changed LSM to SELinux changed unwieldy check command specified "-type f" for permissions check
RHEL6/input/auxiliary/alt-**titles-stig.xml | 8 ++++---- RHEL6/input/services/mail.xml | 2 +- RHEL6/input/system/auditing.**xml | 2 +- RHEL6/input/system/**permissions/files.xml | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-)
Thanks! Presumably you pushed these as bugfixes (and closed out the associated tickets on the wiki?).
As we go through the STIG feedback tickets, should we plan to include the ticket # in the git comments? I think this makes sense, and helps us correlate the two systems. What are your thoughts?
______________________________**_________________ scap-security-guide mailing list scap-security-guide@lists.**fedorahosted.orgscap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guidehttps://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
David Smith -
Shawn Wells