This patchset resolves tickets based on STIG feedback.
David Smith (3): [bugfix] ticket 285 - added Check language allowing forwarding for routers [bugfix] ticket 337 - added language to make Rules NA if no NFS [bugfix] ticket 334 - added text allowing for Postfix to not be installed if CDS
RHEL6/input/services/mail.xml | 6 ++---- RHEL6/input/services/nfs.xml | 6 ++++-- RHEL6/input/system/network/kernel.xml | 1 + 3 files changed, 7 insertions(+), 6 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/network/kernel.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 0f80df2..104cf7c 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -52,6 +52,7 @@ only appropriate for routers.</rationale> </description> <ocil> <sysctl-check-macro sysctl="net.ipv4.ip_forward" value="0" /> +The ability to forward packets is only appropriate for routers. </ocil> <rationale>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is
On 3/11/13 6:35 PM, David Smith wrote:
Signed-off-by: David Smithdsmith@eclipse.ncsc.mil
RHEL6/input/system/network/kernel.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 0f80df2..104cf7c 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -52,6 +52,7 @@ only appropriate for routers.</rationale>
</description> <ocil> <sysctl-check-macro sysctl="net.ipv4.ip_forward" value="0" /> +The ability to forward packets is only appropriate for routers. </ocil> <rationale>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is --
Systems running KVM will require this as well.
"The ability to forward packets is only appropriate for systems acting as routers" seems a good compromise. Thoughts?
On 03/11/2013 08:38 PM, Shawn Wells wrote:
"The ability to forward packets is only appropriate for systems acting as routers" seems a good compromise. Thoughts?
Yes, Leaf systems are the most common, and most people use routers for routing.
What about the IPv6 side?
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/nfs.xml | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/services/nfs.xml b/RHEL6/input/services/nfs.xml index 1dec65d..4308d78 100644 --- a/RHEL6/input/services/nfs.xml +++ b/RHEL6/input/services/nfs.xml @@ -347,7 +347,8 @@ server.</description> <ocil clause="the setting does not show"> To verify the <tt>nodev</tt> option is configured for all NFS mounts, run the following command: <pre>$ mount | grep nfs</pre> -All NFS mounts should show the <tt>nodev</tt> setting in parentheses. +All NFS mounts should show the <tt>nodev</tt> setting in parentheses. This is not applicable if NFS is +not implemented. </ocil> <rationale>Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users.</rationale> @@ -364,7 +365,8 @@ should not present device files to users.</rationale> <ocil clause="the setting does not show"> To verify the <tt>nosuid</tt> option is configured for all NFS mounts, run the following command: <pre>$ mount | grep nfs</pre> -All NFS mounts should show the <tt>nosuid</tt> setting in parentheses. +All NFS mounts should show the <tt>nosuid</tt> setting in parentheses. This is not applicable if NFS is +not implemented. </ocil> <rationale>NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem.</rationale>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/mail.xml | 6 ++---- 1 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 31bf7d5..dac4790 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -21,8 +21,6 @@ The <tt>alternatives</tt> program in RHEL permits selection of other mail server Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. More information is available on its website, http://www.postfix.org. -<br /><br /> -Cross domain solutions are not required to have Postfix installed. </description>
<Rule id="service_postfix_enable"> @@ -33,7 +31,7 @@ the default SMTP port (port 25) on the loopback interface (127.0.0.1). It is recommended to leave this service enabled for local mail delivery. <service-enable-macro service="postfix" /> </description> -<ocil clause="the service is not enabled"> +<ocil clause="the system is not a cross domain solution and the service is not enabled"> <service-enable-check-macro service="postfix" /> </ocil> <rationale>Local mail delivery is essential to some system maintenance and @@ -56,7 +54,7 @@ not installed by default. </ocil> <rationale>The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix -should be used instead. +should be used instead. </rationale> <ref nist="CM-7" /> <tested by="DS" on="20121024"/>
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Gary Gapinski -
Shawn Wells