Signed-off-by: Jeffrey Blank<[email protected]>
---
RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++----
RHEL6/input/profiles/STIG-server.xml | 6 +++++
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/RHEL6/input/auxiliary/transition_notes.xml
b/RHEL6/input/auxiliary/transition_notes.xml
index 32bdc9c..3141809 100644
--- a/RHEL6/input/auxiliary/transition_notes.xml
+++ b/RHEL6/input/auxiliary/transition_notes.xml
@@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper
permissions provided
by the package manager. Automating this check became possible with OVAL 5.8.
</note>
-<note ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279"
auth="JB">
+<note
ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279"
auth="JB">
The security argument is not apparent or salient.
</note>
@@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and
checking for existence of
files does not achieve any security goals. Alternatives include denying use
of any ACLs unless documented, or simply dropping these rules entirely
(preferred).
</note>
-<note
ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386"
auth="JB">
+<note
ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386"
auth="JB">
This is covered in the RHEL6 content.
</note>
+<note ref="808" auth="JB">
+Bothering with umasks: worth the bother?
+</note>
+
+<note ref="805" auth="JB">
+This is covered in the RHEL6 content for NFS mounts. Need to investigate
removable media (for which we put in a ticket for configuration options a long
time ago).
+</note>
+
<note ref="11945" auth="JB">
What is the distinction and purpose of different MAC levels?
</note>
@@ -43,15 +51,27 @@ do not even support this capability.
This needs to be added to the RHEL6 content.
</note>
-<note ref="770,918" auth="JB">
+<note ref="812,813" auth="JB">
+This needs to be added to the RHEL6 content; oddly OVAL checks already exist
for it.
+</note>
+
+<note ref="825,907,910,916,917" auth="JB">
+Is this a concern on a modern system?
+</note>
+
+<note ref="770,918,921,922" auth="JB">
This is covered in the RHEL6 content in a slightly different manner.
</note>
+<note ref="827" auth="JB">
+This needs to be added to the RHEL6 content, as well as a complete re-write of
its CUPS section.
+</note>
+
<note ref="12022" auth="JB">
This is covered in the RHEL6 content in a slightly different manner: iptables
is required.
</note>
-<note ref="12005" auth="JB">
+<note ref="1011,12005" auth="JB">
This is covered in the RHEL6 content in a slightly different manner: xinetd
is required to be disabled, and inetd is not available as part of RHEL6.
</note>
@@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly different
manner: xinetd serv
Finger is still part of RHEL, and so a separate rule could be created for
this if we were so inclined.
</note>
-<note ref="4692,4694,12006" auth="JB">
+<note ref="835,4692,4694,12006" auth="JB">
Postfix is the mail server on RHEL 6, and items peculiar to sendmail no
longer apply.
</note>
diff --git a/RHEL6/input/profiles/STIG-server.xml
b/RHEL6/input/profiles/STIG-server.xml
index 08c8ddb..fa11c8e 100644
--- a/RHEL6/input/profiles/STIG-server.xml
+++ b/RHEL6/input/profiles/STIG-server.xml
@@ -30,6 +30,12 @@
<select idref="service_bluetooth_disabled" selected="true" />
<select idref="account_disable_post_pw_expiration" selected="true" />
+<select idref="sticky_world_writable_dirs" selected="true" />
+<select idref="world_writable_files_system_ownership" selected="true" />
+<select idref="tftpd_uses_secure_mode" selected="true" />
+
+
+
<select idref="ftp_present_banner" selected="true" />
<!-- from inherited Rule, limiting_password_reuse -->
