Here we have a fix for Ticket #49, the guidance now calls for using the "screen" package instead of "vlock" for console locking. References to installation of vlock were edited to reflect the change - both in the applicable profiles and the alt-titles-stig file.
David Smith (2): changed periods back to colons, where appropriate changed rule to use "screen" instead of "vlock"
RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/manual_remediation.xml | 2 +- RHEL6/input/services/ldap.xml | 46 +++++++++++++------------- RHEL6/input/services/mail.xml | 28 ++++++++-------- RHEL6/input/services/ntp.xml | 4 +- RHEL6/input/services/obsolete.xml | 10 +++--- RHEL6/input/system/accounts/physical.xml | 28 +++++++--------- 8 files changed, 59 insertions(+), 63 deletions(-)
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/services/ldap.xml | 46 ++++++++++++++++++------------------ RHEL6/input/services/mail.xml | 28 +++++++++++----------- RHEL6/input/services/ntp.xml | 4 +- RHEL6/input/services/obsolete.xml | 10 ++++---- 4 files changed, 44 insertions(+), 44 deletions(-)
diff --git a/RHEL6/input/services/ldap.xml b/RHEL6/input/services/ldap.xml index 81cbddf..5295cdb 100644 --- a/RHEL6/input/services/ldap.xml +++ b/RHEL6/input/services/ldap.xml @@ -28,12 +28,12 @@ network.</warning> <Rule id="ldap_client_start_tls" severity="medium"> <title>Configure LDAP to Use TLS For All Transactions</title> <description>Configure LDAP to enforce TLS use. First, edit the file -<tt>/etc/pam_ldap.conf</tt>, and add or correct the following lines. +<tt>/etc/pam_ldap.conf</tt>, and add or correct the following lines: <pre>ssl start_tls</pre> Then review the LDAP server and ensure TLS has been configured. </description> <ocil clause="no lines are returned"> -To ensure LDAP is configured to use TLS for all transactions, run the following command. +To ensure LDAP is configured to use TLS for all transactions, run the following command: <pre>$ grep start_tls /etc/pam_ldap.conf</pre> </ocil> <rationale>The ssl directive specifies whether to use ssl or not. If @@ -50,14 +50,14 @@ than doing LDAP over SSL.</rationale> <description>Ensure a copy of the site's CA certificate has been placed in the file <tt>/etc/pki/tls/CA/cacert.pem</tt>. Configure LDAP to enforce TLS use and to trust certificates signed by the site's CA. First, edit the file -<tt>/etc/pam_ldap.conf</tt>, and add or correct either of the following lines. +<tt>/etc/pam_ldap.conf</tt>, and add or correct either of the following lines: <pre>tls_cacertdir /etc/pki/tls/CA</pre> or <pre>tls_cacertfile /etc/pki/tls/CA/cacert.pem</pre> Then review the LDAP server and ensure TLS has been configured. </description> <ocil clause="there is no output, or the lines are commented out"> -To ensure TLS is configured with trust certificates, run the following command. +To ensure TLS is configured with trust certificates, run the following command: <pre># grep cert /etc/pam_ldap.conf</pre> </ocil> <rationale>The tls_cacertdir or tls_cacertfile directives are required when @@ -93,7 +93,7 @@ intended for use as an LDAP Server it should be removed. </description> <ocil clause="it does not"> To verify the <tt>openldap-servers</tt> package is not installed, -run the following command. +run the following command: <pre>$ rpm -q openldap-servers</pre> The output should show the following. <pre>package openldap-servers is not installed</pre> @@ -130,7 +130,7 @@ ensure that the configuration files are protected from unauthorized access or modification. <br /><br /> Edit the ldap configuration file at <tt>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</tt>. -Ensure that the configuration file has reasonable permissions. +Ensure that the configuration file has reasonable permissions: <pre># chown root:ldap /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif # chmod 640 /etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</pre> Protect configuration files containing the hashed password the same way you would protect other files, such as @@ -146,14 +146,14 @@ Protect configuration files containing the hashed password the same way you woul <description>Is this system an OpenLDAP server? If so, ensure that the RootDN uses a secure password. <br /><br /> -Generate a hashed password using the slappasswd utility. +Generate a hashed password using the slappasswd utility: <pre># slappasswd New password: Re-enter new password:</pre> This will output a hashed password string. <br /><br /> Edit the file <tt>/etc/openldap/slapd.d/cn=config/olcDatabase={*}bdb.ldif</tt>, and add or correct -the line. +the line: <pre>olcRootPW: {SSHA}hashed-password-string</pre> Be sure to select a secure password for the LDAP root user, since this user has permission to read and write all LDAP data, so a compromise of the LDAP root password will probably enable a full compromise of your site. @@ -171,18 +171,18 @@ In addition, be sure to use a reasonably strong hash function. The default hash # chown root:root /etc/pki/tls/ldap # chmod 755 /etc/pki/tls/ldap</pre> Using removable media or some other secure transmission format, install the files generated in the previous -step onto the LDAP server. +step onto the LDAP server: <ul> <li><tt>/etc/pki/tls/ldap/serverkey.pem</tt>: the private key <tt>ldapserverkey.pem</tt></li> <li><tt>/etc/pki/tls/ldap/servercert.pem</tt>: the certificate file <tt>ldapservercert.pem</tt></li> </ul> -Verify the ownership and permissions of these files. +Verify the ownership and permissions of these files: <pre># chown root:ldap /etc/pki/tls/ldap/serverkey.pem # chown root:ldap /etc/pki/tls/ldap/servercert.pem # chmod 640 /etc/pki/tls/ldap/serverkey.pem # chmod 640 /etc/pki/tls/ldap/servercert.pem</pre> Verify that the CA's public certificate file has been installed as <tt>/etc/pki/tls/CA/cacert.pem</tt>, and has the -correct permissions. +correct permissions: <pre># mkdir /etc/pki/tls/CA # chown root:root /etc/pki/tls/CA/cacert.pem # chmod 644 /etc/pki/tls/CA/cacert.pem</pre> @@ -209,7 +209,7 @@ LDAP server process would need to be restarted manually whenever the server rebo
<Group id="ldap_server_config_directory_domain"> <title>Create Top-level LDAP Structure for Domain</title> -<description>Create a structure for the domain itself with at least the following attributes. +<description>Create a structure for the domain itself with at least the following attributes: <pre>dn: dc=example,dc=com objectClass: dcObject objectClass: organization @@ -225,7 +225,7 @@ any other entries for the domain.
<Group id="ldap_server_config_directory_users_groups"> <title>Create LDAP Structures for Users and Groups</title> -<description>Create LDAP structures for people (users) and for groups with at least the following attributes. +<description>Create LDAP structures for people (users) and for groups with at least the following attributes: <pre>dn: ou=people,dc=example,dc=com ou: people structuralObjectClass: organizationalUnit @@ -245,7 +245,7 @@ These organizational units are used to identify the two categories within LDAP. <Group id="ldap_server_config_directory_accounts"> <title>Create Unix Accounts</title> <description>For each Unix user, create an LDAP entry with at least the following attributes (others may be appropriate -for your site as well), using variable values appropriate to that user. +for your site as well), using variable values appropriate to that user: <pre>dn: uid=username ,ou=people,dc=example,dc=com structuralObjectClass: inetOrgPerson objectClass: inetOrgPerson @@ -274,7 +274,7 @@ but only for user accounts which are to be shared across machines, and which hav
<Group id="ldap_server_config_directory_groups"> <title>Create Unix Groups</title> -<description>For each Unix group, create an LDAP entry with at least the following attributes. +<description>For each Unix group, create an LDAP entry with at least the following attributes: <pre>dn: cn=groupname ,ou=groups,dc=example,dc=com cn: groupname structuralObjectClass: posixGroup @@ -298,7 +298,7 @@ or which are shared across systems. <Group id="ldap_server_config_directory_admin_group"> <title>Create Groups to Administer LDAP</title> <description>If a group of LDAP administrators is desired, that group must be created somewhat differently. -The specification should have these attributes. +The specification should have these attributes: <pre>dn: cn=admins ,ou=groups,dc=example,dc=com cn: admins structuralObjectClass: groupOfUniqueNames @@ -320,9 +320,9 @@ auditing and error detection, it is recommended that LDAP administrators have un
<Rule id="ldap_server_config_olcaccess"> <title>Configure slapd to Protect Authentication Information</title> -<description>Use ldapmodify to add these entries to the database. Add or correct the following access specifications. +<description>Use ldapmodify to add these entries to the database. Add or correct the following access specifications: 1. Protect the user's password by allowing the user himself or the LDAP administrators to change it, -allowing the anonymous user to authenticate against it, and allowing no other access. +allowing the anonymous user to authenticate against it, and allowing no other access: <pre>olcAccess: to attrs=userPassword by self write by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write @@ -332,7 +332,7 @@ olcAccess: to attrs=shadowLastChange by self write by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write by * read</pre> -2. Allow anyone to read other information, and allow the administrators to change it. +2. Allow anyone to read other information, and allow the administrators to change it: <pre>olcAccess: to * by group/groupOfUniqueNames/uniqueMember="cn=admins ,ou=groups,dc=example,dc=com " write by * read</pre> @@ -363,7 +363,7 @@ permissions. This will prevent slapd from starting correctly. <Rule id="iptables_ldap_enabled"> <title>Configure iptables to Allow Access to the LDAP Server</title> <description>Determine an appropriate network block representing the machines on -your network which will synchronize to this server. +your network which will synchronize to this server: <iptables-desc-macro net="true" proto="tcp" port="389" /> <iptables-desc-macro net="true" proto="tcp" port="636" /> The default Iptables configuration does not allow inbound access to any @@ -384,10 +384,10 @@ by connecting to the primary port and issuing the STARTTLS command. <title>Configure Logging for LDAP</title> <description> <ol> -<li>Add or correct the fillowing line within <tt>/etc/rsyslog.conf</tt>. +<li>Add or correct the fillowing line within <tt>/etc/rsyslog.conf</tt>: <pre>local4.*</pre> </li> -<li>Create the log file with safe permissions. +<li>Create the log file with safe permissions: <pre># touch /var/log/ldap.log # chown root:root /var/log/ldap.log # chmod 0600 /var/log/ldap.log</pre> @@ -396,7 +396,7 @@ by connecting to the primary port and issuing the STARTTLS command. <pre>/var/log/ldap.log</pre> to the space-separated list in the first line.</li> <li>Edit the LDAP configuration file /etc/openldap/slapd.conf and set a reasonable set of default log -parameters, such as the following. +parameters, such as the following: <pre>loglevel stats2</pre> </li> </ol> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index 4136da7..b0f2bb8 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -71,11 +71,11 @@ e-mail configuration.</description> <title>Disable Postfix Network Listening</title> <description> Edit the file <tt>/etc/postfix/main.cf</tt> to ensure that only the following -<tt>inet_interfaces</tt> line appears. +<tt>inet_interfaces</tt> line appears: <pre>inet_interfaces = localhost</pre> </description> <ocil clause="it does not"> -Run the following command to ensure postfix accepts mail messages from only the local system. +Run the following command to ensure postfix accepts mail messages from only the local system: <pre>$ grep inet_interfaces /etc/postfix/main.cf</pre> If properly configured, the output should show only <tt>localhost</tt>. </ocil> @@ -146,12 +146,12 @@ that access, while keeping other ports on the server in their default protected
<Rule id="postfix_logging"> <title>Verify System Logging and Log Permissions for Mail</title> -<description>Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct the following line if necessary (this is the default). +<description>Edit the file <tt>/etc/rsyslog.conf</tt>. Add or correct the following line if necessary (this is the default): <pre>mail.* -/var/log/maillog</pre> Run the following commands to ensure correct permissions on the mail log: <pre># chown root:root /var/log/maillog # chmod 600 /var/log/maillog</pre> -Ensure log will be rotated as appropriate by adding or correcting the following line if needed into the list on the first line of <tt>/etc/logrotate.d/syslog</tt> (this is the default). +Ensure log will be rotated as appropriate by adding or correcting the following line if needed into the list on the first line of <tt>/etc/logrotate.d/syslog</tt> (this is the default): <pre>/var/log/maillog</pre> </description> <!-- <ident cce="TODO:CCE" /> --> @@ -195,21 +195,21 @@ purpose.</warning>
<Rule id="postfix_install_ssl_cert"> <title>Install the SSL Certificate</title> -<description>Create the PKI directory for mail certificates, if it does not already exist. +<description>Create the PKI directory for mail certificates, if it does not already exist: <pre># mkdir /etc/pki/tls/mail # chown root:root /etc/pki/tls/mail # chmod 755 /etc/pki/tls/mail</pre> Using removable media or some other secure transmission format, install the files generated in the previous -step onto the mail server. +step onto the mail server: <pre>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem /etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</pre> -Verify the ownership and permissions of these files. +Verify the ownership and permissions of these files: <pre># chown root:root /etc/pki/tls/mail/serverkey.pem # chown root:root /etc/pki/tls/mail/servercert.pem # chmod 600 /etc/pki/tls/mail/serverkey.pem # chmod 644 /etc/pki/tls/mail/servercert.pem</pre> Verify that the CA's public certificate file has been installed as <tt>/etc/pki/tls/CA/cacert.pem</tt>, and has the -correct permissions. +correct permissions: <pre># chown root:root /etc/pki/tls/CA/cacert.pem # chmod 644 /etc/pki/tls/CA/cacert.pem</pre> </description> @@ -229,7 +229,7 @@ correct permissions.
<Rule id="postfix_server_denial_of_service"> <title>Limit Denial of Service Attacks</title> -<description>Edit <tt>/etc/postfix/main.cf</tt>. Add or correct the following lines. +<description>Edit <tt>/etc/postfix/main.cf</tt>. Add or correct the following lines: <pre>default_process_limit = 100 smtpd_client_connection_count_limit = 10 smtpd_client_connection_rate_limit = 30 @@ -259,7 +259,7 @@ typical at your site, look in <tt>/var/log/maillog</tt> for lines with the daemo <Rule id="postfix_server_banner" severity="medium"> <title>Configure SMTP Greeting Banner</title> <description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the following line, substituting some other wording for the -banner information if you prefer. +banner information if you prefer: <pre>smtpd_banner = $myhostname ESMTP</pre> </description> <rationale>The default greeting banner discloses that the listening mail process is Postfix. @@ -287,7 +287,7 @@ with SSL support. <Rule id="postfix_server_mail_relay_set_trusted_networks"> <title>Configure Trusted Networks and Hosts</title> <description>Edit <tt>/etc/postfix/main.cf</tt>, and configure the contents of the <tt>mynetworks</tt> variable in one of the following -ways. +ways: <ul> <li>If any machine in the subnet containing the MTA may be trusted to relay messages, add or correct the following line. <pre>mynetworks_style = subnet</pre></li> @@ -312,7 +312,7 @@ mail. <Rule id="postfix_server_mail_relay_for_trusted_networks"> <title>Allow Unlimited Relaying for Trusted Networks Only</title> <description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the <tt>smtpd_recipient_restrictions</tt> definition so that it -contains at least. +contains at least: <pre>smtpd_recipient_restrictions = ... permit_mynetworks, @@ -338,7 +338,7 @@ This section describes how to configure authentication using the Cyrus-SASL impl discussion of other options. <br /><br /> To enable the use of SASL authentication, edit <tt>/etc/postfix/main.cf</tt> and add or correct the following -settings. +settings: <pre>smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = ... @@ -373,7 +373,7 @@ work via PAM, look at the <tt>saslauthd(8)</tt> manpage to find out how to confi
<Rule id="postfix_server_mail_relay_require_tls_for_smtp_auth"> <title>Require TLS for SMTP AUTH</title> -<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the following lines. +<description>Edit <tt>/etc/postfix/main.cf</tt>, and add or correct the following lines: <pre>smtpd_tls_CApath = /etc/pki/tls/CA smtpd_tls_CAfile = /etc/pki/tls/CA/cacert.pem smtpd_tls_cert_file = /etc/pki/tls/mail/servercert.pem diff --git a/RHEL6/input/services/ntp.xml b/RHEL6/input/services/ntp.xml index 2e593d9..606ad67 100644 --- a/RHEL6/input/services/ntp.xml +++ b/RHEL6/input/services/ntp.xml @@ -64,7 +64,7 @@ data. A remote NTP server should be configured for time synchronization. To verify one is configured, open the following file. <pre>/etc/ntp.conf</pre> -In the file, there should be a section similar to the following. +In the file, there should be a section similar to the following: <pre># --- OUR TIMESERVERS ----- server <i>ntpserver</i></pre> </ocil> @@ -84,7 +84,7 @@ recommended.</rationale> <description>Additional NTP servers can be specified for time synchronization in the file <tt>/etc/ntp.conf</tt>. To do so, add additional lines of the following form, substituting the IP address or hostname of a remote NTP server for -<em>ntpserver</em>. +<em>ntpserver</em>: <pre>server <i>ntpserver</i></pre> </description> <rationale>Specifying additional NTP servers increases the availability of diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index 4542b52..c7b4431 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -44,7 +44,7 @@ attacks against xinetd itself.
<Rule id="uninstall_xinetd"> <title>Uninstall xinetd Package</title> -<description>The <tt>xinetd</tt> package can be uninstalled with the following command. +<description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> <ocil><package-check-macro package="xinetd" /> </ocil> @@ -88,7 +88,7 @@ subject to man-in-the-middle attacks. <Rule id="uninstall_telnet_server" severity="high"> <title>Uninstall telnet-server Package</title> <description>The <tt>telnet-server</tt> package can be uninstalled with -the following command. +the following command: <pre># yum erase telnet-server</pre></description> <ocil><package-check-macro package="telnet-server" /> </ocil> <rationale> @@ -113,7 +113,7 @@ model.</description> <Rule id="uninstall_rsh-server" severity="high"> <title>Uninstall rsh-server Package</title> <description>The <tt>rsh-server</tt> package can be uninstalled with -the following command. +the following command: <pre># yum erase rsh-server</pre> </description> <ocil><package-check-macro package="rsh-server" /> </ocil> @@ -221,7 +221,7 @@ important authentication information.</description> <Rule id="uninstall_ypserv" severity="medium"> <title>Uninstall ypserv Package</title> <description>The <tt>ypserv</tt> package can be uninstalled with -the following command. +the following command: <pre># yum erase ypserv</pre> </description> <ocil><package-check-macro package="ypserv" /> </ocil> @@ -302,7 +302,7 @@ accidental (or intentional) activation of tftp services. <description>If running the <tt>tftp</tt> service is necessary, it should be configured to change its root directory at startup. To do so, ensure <tt>/etc/xinetd.d/tftp</tt> includes <tt>-s</tt> as a command line argument, as shown in -the following example (which is also the default). +the following example (which is also the default): <pre>server_args = -s /var/lib/tftpboot</pre> </description> <rationale>Using the <tt>-s</tt> option causes the TFTP service to only serve files from the
Signed-off-by: David Smith dsmith@eclipse.ncsc.mil --- RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/manual_remediation.xml | 2 +- RHEL6/input/system/accounts/physical.xml | 28 +++++++++++--------------- 4 files changed, 15 insertions(+), 19 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 915bd1a..d944b48 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -236,7 +236,7 @@ The graphical desktop environment must have automatic lock enabled. <title rule="set_blank_screensaver" shorttitle="Implement Blank Screen Saver"> The system must display a publicly-viewable pattern during a graphical desktop environment session lock. </title> -<title rule="install_vlock_package" shorttitle="Install the vlock Package"> +<title rule="install_screen_package" shorttitle="Install the screen Package"> The system must allow locking of the console screen. </title> <title rule="set_system_login_banner" shorttitle="Modify the System Login Banner"> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index 914ca76..3c5a381 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -67,7 +67,7 @@ <select idref="bootloader_password" selected="true"/> <select idref="require_singleuser_auth" selected="true"/> <select idref="disable_interactive_boot" selected="true"/> -<select idref="install_vlock_package" selected="true"/> +<select idref="install_screen_package" selected="true"/> <select idref="set_system_login_banner" selected="true"/> <!-- CURRENTLY NOT IMPLEMENTED <select idref="set_gui_login_banner" selected="true"/> -->
diff --git a/RHEL6/input/profiles/manual_remediation.xml b/RHEL6/input/profiles/manual_remediation.xml index 84a8fe7..ea1218d 100644 --- a/RHEL6/input/profiles/manual_remediation.xml +++ b/RHEL6/input/profiles/manual_remediation.xml @@ -4,7 +4,7 @@ <select idref="install_aide" selected="true"/> <select idref="install_vsftpd" selected="true"/> <select idref="install_openswan" selected="true"/> -<select idref="install_vlock_package" selected="true"/> +<select idref="install_screen_package" selected="true"/> <select idref="bios_disable_usb_boot" selected="true"/> <select idref="bootloader_password" selected="true"/> <select idref="rsyslog_send_messages_to_logserver" selected="true"/> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index a630c58..05f54e7 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -351,31 +351,27 @@ contents of the display from passersby. <title>Configure Console Screen Locking</title> <description> A console screen locking mechanism is provided in the -vlock package, which is not installed by default. +<tt>screen</tt> package, which is not installed by default. </description>
-<Rule id="install_vlock_package"> -<title>Install the vlock Package</title> +<Rule id="install_screen_package"> +<title>Install the screen Package</title> <description> -To enable console screen locking, install the vlock package: -<pre># yum install vlock</pre> -Instruct users to invoke the program when necessary, in order -to prevent passersby from abusing their login: -<pre>$ vlock</pre> -The <tt>-a</tt> option can be used to prevent switching to other -virtual consoles. +To enable console screen locking, install the <tt>screen</tt> package: +<pre># yum install screen</pre> +Instruct users to begin new terminal sessions with the following command: +<pre>$ screen</pre> +The console can now be locked with the following key combination: +<pre>ctrl+a x</pre> </description> -<ocil clause="there is a command not found error"> -To check whether vlock has been installed, run the following command: -<pre>$ vlock</pre> -If vlock is available, then the terminal will lock. +<ocil clause="the package is not installed"> +<package-check-macro package="screen" /> </ocil> <rationale> -Installing vlock ensures a console locking capability is available +Installing <tt>screen</tt> ensures a console locking capability is available for users who may need to suspend console logins. </rationale> <ident cce="3910-7" /> -<oval id="package_vlock_installed" /> <ref nist="CM-6, CM-7" disa="58" /> <tested by="DS" on="20121026"/> </Rule>
Excellent, thanks -- please push this.
On 12/20/2012 07:10 AM, David Smith wrote:
Here we have a fix for Ticket #49, the guidance now calls for using the "screen" package instead of "vlock" for console locking. References to installation of vlock were edited to reflect the change - both in the applicable profiles and the alt-titles-stig file.
David Smith (2): changed periods back to colons, where appropriate changed rule to use "screen" instead of "vlock"
RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/profiles/common.xml | 2 +- RHEL6/input/profiles/manual_remediation.xml | 2 +- RHEL6/input/services/ldap.xml | 46 +++++++++++++------------- RHEL6/input/services/mail.xml | 28 ++++++++-------- RHEL6/input/services/ntp.xml | 4 +- RHEL6/input/services/obsolete.xml | 10 +++--- RHEL6/input/system/accounts/physical.xml | 28 +++++++--------- 8 files changed, 59 insertions(+), 63 deletions(-)
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org