pushing more fixes to resolve tickets
David Smith (5): [bugfix] ticket 297 - added maxlogins value [bugfix] ticket 334 - added text exempting CDSes from Postfix requirement [bugfix] ticket 293 - added info to Ctrl-Alt-Del Rule [bugfix] ticket 299 - added finding statement [bugfix] ticket 332 - cleaned up file deletion audit Rule
RHEL6/input/services/mail.xml | 5 ++++- RHEL6/input/system/accounts/physical.xml | 8 ++++---- .../accounts/restrictions/account_expiration.xml | 3 ++- RHEL6/input/system/accounts/session.xml | 8 +++----- RHEL6/input/system/auditing.xml | 2 -- 5 files changed, 13 insertions(+), 13 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/accounts/session.xml | 8 +++----- 1 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index a5f5719..faa5295 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -27,10 +27,9 @@ operator="equals" interactive="0"> <description> Limiting the number of allowed users and sessions per user can limit risks related to Denial of Service attacks. This addresses concurrent sessions for a single account and does not address -concurrent sessions by a single user via multiple accounts. To set the number of concurrent +concurrent sessions by a single user via multiple accounts. The DoD requirement is 10. To set the number of concurrent sessions per user add the following line in <tt>/etc/security/limits.conf</tt>: -<pre>* hard maxlogins <i>MAX</i></pre> -Where <i>MAX</i> is the maximum number of login sessions allowed. +<pre>* hard maxlogins 10</pre> </description> <rationale>Limiting simultaneous user logins can insulate the system from denial of service problems caused by excessive logins. Automated login processes operating improperly or @@ -41,8 +40,7 @@ Run the following command to ensure the <tt>maxlogins</tt> value is configured f on the system: <pre># grep "maxlogins" /etc/security/limits.conf</pre> You should receive output similar to the following: -<pre>* hard maxlogins <i>MAX</i></pre> -Where <i>MAX</i> represents the value you have chosen. +<pre>* hard maxlogins 10</pre> </ocil> <!-- <oval id="max_concurrent_login_sessions" value="max_concurrent_login_sessions_value" /> --> <ref disa="54"/>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/mail.xml | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 88593aa..31bf7d5 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -20,7 +20,10 @@ The <tt>alternatives</tt> program in RHEL permits selection of other mail server (such as Sendmail), but Postfix is the default and is preferred. Postfix was coded with security in mind and can also be more effectively contained by SELinux as its modular design has resulted in separate processes performing specific actions. -More information is available on its website, http://www.postfix.org.</description> +More information is available on its website, http://www.postfix.org. +<br /><br /> +Cross domain solutions are not required to have Postfix installed. +</description>
<Rule id="service_postfix_enable"> <title>Enable Postfix Service</title>
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/accounts/physical.xml | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 15540a1..c0a3e5e 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -147,10 +147,10 @@ rebooting the system, alter that line to read as follows: <pre>exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre> </description> <ocil clause="the system is configured to run the shutdown command"> -To check how the system is configured to behave when Ctrl-Alt-Del is pressed, -inspect the file <tt>/etc/init/control-alt-delete.conf</tt>. -The commands following the line below will be executed when the key sequence is pressed: -<pre>start on control-alt-delete</pre> +To ensure the system is configured to log a message instead of rebooting the system when +Ctrl-Alt-Del is pressed, ensure the following line is in <tt>/etc/init/control-alt-delete.conf</tt>: +<pre>exec /usr/bin/logger -p security.info "Control-Alt-Delete pressed"</pre> +</description> </ocil> <rationale> A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- .../accounts/restrictions/account_expiration.xml | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index d17ec16..d8e8702 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -46,7 +46,8 @@ period of inactivity for users in the particular environment. Setting the timeout too low incurs support costs and also has the potential to impact availability of the system to legitimate users. </description> -<ocil>To verify the <tt>INACTIVE</tt> setting, run the following command: +<ocil clause="it does not"> +To verify the <tt>INACTIVE</tt> setting, run the following command: <pre>grep "INACTIVE" /etc/default/useradd</pre> The output should indicate the <tt>INACTIVE</tt> configuration option is set to an appropriate integer as shown in the example below:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/auditing.xml | 2 -- 1 files changed, 0 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index d7e040f..dbe3c34 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -1253,9 +1253,7 @@ appropriate for your system: </description> <ocil> <audit-syscall-check-macro syscall="unlink" /> -<audit-syscall-check-macro syscall="unlinkat" /> <audit-syscall-check-macro syscall="rename" /> -<audit-syscall-check-macro syscall="renameat" /> </ocil> <rationale>Auditing file deletions will create an audit trail for files that are removed from the system. The audit trail could aid in system troubleshooting, as well as, detecting
Just caught/fixed my own bug in physical.xml -- pushed the bugfix already.
On 03/11/2013 04:03 PM, David Smith wrote:
pushing more fixes to resolve tickets
David Smith (5): [bugfix] ticket 297 - added maxlogins value [bugfix] ticket 334 - added text exempting CDSes from Postfix requirement [bugfix] ticket 293 - added info to Ctrl-Alt-Del Rule [bugfix] ticket 299 - added finding statement [bugfix] ticket 332 - cleaned up file deletion audit Rule
RHEL6/input/services/mail.xml | 5 ++++- RHEL6/input/system/accounts/physical.xml | 8 ++++---- .../accounts/restrictions/account_expiration.xml | 3 ++- RHEL6/input/system/accounts/session.xml | 8 +++----- RHEL6/input/system/auditing.xml | 2 -- 5 files changed, 13 insertions(+), 13 deletions(-)
scap-security-guide@lists.fedorahosted.org
-
David Smith