Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil --- RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++---- RHEL6/input/profiles/STIG-server.xml | 6 +++++ 2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 32bdc9c..3141809 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8. </note>
-<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> +<note ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> The security argument is not apparent or salient. </note>
@@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and checking for existence of files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred). </note>
-<note ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> +<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> This is covered in the RHEL6 content. </note>
+<note ref="808" auth="JB"> +Bothering with umasks: worth the bother? +</note> + +<note ref="805" auth="JB"> +This is covered in the RHEL6 content for NFS mounts. Need to investigate removable media (for which we put in a ticket for configuration options a long time ago). +</note> + <note ref="11945" auth="JB"> What is the distinction and purpose of different MAC levels? </note> @@ -43,15 +51,27 @@ do not even support this capability. This needs to be added to the RHEL6 content. </note>
-<note ref="770,918" auth="JB"> +<note ref="812,813" auth="JB"> +This needs to be added to the RHEL6 content; oddly OVAL checks already exist for it. +</note> + +<note ref="825,907,910,916,917" auth="JB"> +Is this a concern on a modern system? +</note> + +<note ref="770,918,921,922" auth="JB"> This is covered in the RHEL6 content in a slightly different manner. </note>
+<note ref="827" auth="JB"> +This needs to be added to the RHEL6 content, as well as a complete re-write of its CUPS section. +</note> + <note ref="12022" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: iptables is required. </note>
-<note ref="12005" auth="JB"> +<note ref="1011,12005" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6. </note>
@@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly different manner: xinetd serv Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined. </note>
-<note ref="4692,4694,12006" auth="JB"> +<note ref="835,4692,4694,12006" auth="JB"> Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply. </note>
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 08c8ddb..fa11c8e 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -30,6 +30,12 @@ <select idref="service_bluetooth_disabled" selected="true" /> <select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> +<select idref="tftpd_uses_secure_mode" selected="true" /> + + + <select idref="ftp_present_banner" selected="true" />
<!-- from inherited Rule, limiting_password_reuse -->
Ack.
On 07/30/2012 08:52 PM, Jeffrey Blank wrote:
Signed-off-by: Jeffrey Blankblank@eclipse.ncsc.mil
RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++---- RHEL6/input/profiles/STIG-server.xml | 6 +++++ 2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 32bdc9c..3141809 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8.
</note>
-<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> +<note ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> The security argument is not apparent or salient.
</note>
@@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and checking for existence of files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred).
</note>
-<note ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> +<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> This is covered in the RHEL6 content.
</note>
+<note ref="808" auth="JB"> +Bothering with umasks: worth the bother? +</note>
+<note ref="805" auth="JB"> +This is covered in the RHEL6 content for NFS mounts. Need to investigate removable media (for which we put in a ticket for configuration options a long time ago). +</note>
<note ref="11945" auth="JB"> What is the distinction and purpose of different MAC levels? </note>
@@ -43,15 +51,27 @@ do not even support this capability. This needs to be added to the RHEL6 content.
</note>
-<note ref="770,918" auth="JB"> +<note ref="812,813" auth="JB"> +This needs to be added to the RHEL6 content; oddly OVAL checks already exist for it. +</note>
+<note ref="825,907,910,916,917" auth="JB"> +Is this a concern on a modern system? +</note>
+<note ref="770,918,921,922" auth="JB"> This is covered in the RHEL6 content in a slightly different manner.
</note>
+<note ref="827" auth="JB"> +This needs to be added to the RHEL6 content, as well as a complete re-write of its CUPS section. +</note>
<note ref="12022" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: iptables is required. </note>
-<note ref="12005" auth="JB"> +<note ref="1011,12005" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6.
</note>
@@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly different manner: xinetd serv Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined.
</note>
-<note ref="4692,4694,12006" auth="JB"> +<note ref="835,4692,4694,12006" auth="JB"> Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply.
</note>
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 08c8ddb..fa11c8e 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -30,6 +30,12 @@
<select idref="service_bluetooth_disabled" selected="true" /> <select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> +<select idref="tftpd_uses_secure_mode" selected="true" />
<select idref="ftp_present_banner" selected="true" />
<!-- from inherited Rule, limiting_password_reuse -->
Ack
On Jul 30, 2012, at 8:52 PM, Jeffrey Blank blank@eclipse.ncsc.mil wrote:
Signed-off-by: Jeffrey Blank blank@eclipse.ncsc.mil
RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++---- RHEL6/input/profiles/STIG-server.xml | 6 +++++ 2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml b/RHEL6/input/auxiliary/transition_notes.xml index 32bdc9c..3141809 100644 --- a/RHEL6/input/auxiliary/transition_notes.xml +++ b/RHEL6/input/auxiliary/transition_notes.xml @@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper permissions provided by the package manager. Automating this check became possible with OVAL 5.8.
</note>
-<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> +<note ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" auth="JB"> The security argument is not apparent or salient.
</note>
@@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and checking for existence of files does not achieve any security goals. Alternatives include denying use of any ACLs unless documented, or simply dropping these rules entirely (preferred).
</note>
-<note ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> +<note ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" auth="JB"> This is covered in the RHEL6 content.
</note>
+<note ref="808" auth="JB"> +Bothering with umasks: worth the bother? +</note>
+<note ref="805" auth="JB"> +This is covered in the RHEL6 content for NFS mounts. Need to investigate removable media (for which we put in a ticket for configuration options a long time ago). +</note>
<note ref="11945" auth="JB"> What is the distinction and purpose of different MAC levels? </note> @@ -43,15 +51,27 @@ do not even support this capability. This needs to be added to the RHEL6 content. </note>
-<note ref="770,918" auth="JB"> +<note ref="812,813" auth="JB"> +This needs to be added to the RHEL6 content; oddly OVAL checks already exist for it. +</note>
+<note ref="825,907,910,916,917" auth="JB"> +Is this a concern on a modern system? +</note>
+<note ref="770,918,921,922" auth="JB"> This is covered in the RHEL6 content in a slightly different manner.
</note>
+<note ref="827" auth="JB"> +This needs to be added to the RHEL6 content, as well as a complete re-write of its CUPS section. +</note>
<note ref="12022" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: iptables is required. </note>
-<note ref="12005" auth="JB"> +<note ref="1011,12005" auth="JB"> This is covered in the RHEL6 content in a slightly different manner: xinetd is required to be disabled, and inetd is not available as part of RHEL6.
</note>
@@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly different manner: xinetd serv Finger is still part of RHEL, and so a separate rule could be created for this if we were so inclined.
</note>
-<note ref="4692,4694,12006" auth="JB"> +<note ref="835,4692,4694,12006" auth="JB"> Postfix is the mail server on RHEL 6, and items peculiar to sendmail no longer apply.
</note>
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index 08c8ddb..fa11c8e 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -30,6 +30,12 @@
<select idref="service_bluetooth_disabled" selected="true" /> <select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="sticky_world_writable_dirs" selected="true" /> +<select idref="world_writable_files_system_ownership" selected="true" /> +<select idref="tftpd_uses_secure_mode" selected="true" />
<select idref="ftp_present_banner" selected="true" />
<!-- from inherited Rule, limiting_password_reuse -->
-- 1.7.1
scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Kevin Spargur -
Maura Dailey