These patches address tickets 281 (add library directories to Check text) and 295 (pwck invocation).
David Smith (2): modified pwck invocation added library directories to check text
.../accounts/restrictions/account_expiration.xml | 2 +- .../accounts/restrictions/password_storage.xml | 2 +- RHEL6/input/system/permissions/files.xml | 10 ++++++++-- 3 files changed, 10 insertions(+), 4 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- .../accounts/restrictions/account_expiration.xml | 2 +- .../accounts/restrictions/password_storage.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index d8e8702..3d45d55 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -69,7 +69,7 @@ Change usernames, or delete accounts, so each has a unique name. </description> <ocil clause="a line is returned"> Run the following command to check for duplicate account names: -<pre># pwck -r</pre> +<pre># pwck -qr</pre> If there are no duplicate names, no line will be returned. </ocil> <rationale> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index be8ed82..333e9a5 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -76,7 +76,7 @@ Add a group to the system for each GID referenced without a corresponding group. <ocil clause="there is output"> To ensure all GIDs referenced in <tt>/etc/passwd</tt> are defined in <tt>/etc/group</tt>, run the following command: -<pre># pwck -r</pre> +<pre># pwck -qr</pre> There should be no output. </ocil> <rationale>
Looks good, please commit!
On Wed, Mar 13, 2013 at 8:46 AM, David Smith dsmith@eclipse.ncsc.milwrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
.../accounts/restrictions/account_expiration.xml | 2 +- .../accounts/restrictions/password_storage.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/restrictions/account_expiration.xml b/RHEL6/input/system/accounts/restrictions/account_expiration.xml index d8e8702..3d45d55 100644 --- a/RHEL6/input/system/accounts/restrictions/account_expiration.xml +++ b/RHEL6/input/system/accounts/restrictions/account_expiration.xml @@ -69,7 +69,7 @@ Change usernames, or delete accounts, so each has a unique name.
</description> <ocil clause="a line is returned"> Run the following command to check for duplicate account names: -<pre># pwck -r</pre> +<pre># pwck -qr</pre> If there are no duplicate names, no line will be returned. </ocil> <rationale> diff --git a/RHEL6/input/system/accounts/restrictions/password_storage.xml b/RHEL6/input/system/accounts/restrictions/password_storage.xml index be8ed82..333e9a5 100644 --- a/RHEL6/input/system/accounts/restrictions/password_storage.xml +++ b/RHEL6/input/system/accounts/restrictions/password_storage.xml @@ -76,7 +76,7 @@ Add a group to the system for each GID referenced without a corresponding group. <ocil clause="there is output"> To ensure all GIDs referenced in <tt>/etc/passwd</tt> are defined in <tt>/etc/group</tt>, run the following command: -<pre># pwck -r</pre> +<pre># pwck -qr</pre> There should be no output. </ocil> <rationale> -- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/system/permissions/files.xml | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 603a05d..9a0de83 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -230,8 +230,14 @@ following command: <pre># chown root <i>FILE</i></pre> </description> <ocil clause="any of these files are not owned by root"> -To find shared libraries that are not owned by <tt>root</tt>, -run the following command for each directory <i>DIR</i> which contains shared libraries: +Shared libraries are stored in the following directories: +<pre>/lib +/lib64 +/usr/lib +/usr/lib64 +</pre> +For each of these directories, run the following command to find files not +owned by root: <pre>$ find <i>DIR</i> ! -user root</pre> </ocil> <rationale>Files from shared library directories are loaded into the address
Looks good, please commit!
This also allows the check and fix to stand independently, which is a goal for presentation/structure.
On Wed, Mar 13, 2013 at 8:46 AM, David Smith dsmith@eclipse.ncsc.milwrote:
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil
RHEL6/input/system/permissions/files.xml | 10 ++++++++-- 1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 603a05d..9a0de83 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -230,8 +230,14 @@ following command:
<pre># chown root <i>FILE</i></pre>
</description> <ocil clause="any of these files are not owned by root"> -To find shared libraries that are not owned by <tt>root</tt>, -run the following command for each directory <i>DIR</i> which contains shared libraries: +Shared libraries are stored in the following directories: +<pre>/lib +/lib64 +/usr/lib +/usr/lib64 +</pre> +For each of these directories, run the following command to find files not +owned by root: <pre>$ find <i>DIR</i> \! -user root</pre> </ocil> <rationale>Files from shared library directories are loaded into the address -- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
David Smith -
Jeffrey Blank