Ack
On Jul 30, 2012, at 8:52 PM, Jeffrey Blank <[email protected]> wrote: > > Signed-off-by: Jeffrey Blank <[email protected]> > --- > RHEL6/input/auxiliary/transition_notes.xml | 30 +++++++++++++++++++++++---- > RHEL6/input/profiles/STIG-server.xml | 6 +++++ > 2 files changed, 31 insertions(+), 5 deletions(-) > > diff --git a/RHEL6/input/auxiliary/transition_notes.xml > b/RHEL6/input/auxiliary/transition_notes.xml > index 32bdc9c..3141809 100644 > --- a/RHEL6/input/auxiliary/transition_notes.xml > +++ b/RHEL6/input/auxiliary/transition_notes.xml > @@ -13,7 +13,7 @@ This is superceded by the system-wide check for improper > permissions provided > by the package manager. Automating this check became possible with OVAL 5.8. > </note> > > -<note > ref="774,784,788,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" > auth="JB"> > +<note > ref="774,784,788,823,824,899,900,4342,4385,22319,22320,22321,22322,23953,27275,27276,27279" > auth="JB"> > The security argument is not apparent or salient. > </note> > > @@ -26,10 +26,18 @@ Existence of an ACL is not necessarily a problem, and > checking for existence of > files does not achieve any security goals. Alternatives include denying use > of any ACLs unless documented, or simply dropping these rules entirely > (preferred). > </note> > > -<note > ref="756,763,773,783,785,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" > auth="JB"> > +<note > ref="756,763,773,783,785,797,798,800,806,807,847,867,4687,4688,11945,11947,11948,11972,11973,12003,22290,22341,22342,22343,24386" > auth="JB"> > This is covered in the RHEL6 content. > </note> > > +<note ref="808" auth="JB"> > +Bothering with umasks: worth the bother? > +</note> > + > +<note ref="805" auth="JB"> > +This is covered in the RHEL6 content for NFS mounts. Need to investigate > removable media (for which we put in a ticket for configuration options a > long time ago). > +</note> > + > <note ref="11945" auth="JB"> > What is the distinction and purpose of different MAC levels? > </note> > @@ -43,15 +51,27 @@ do not even support this capability. > This needs to be added to the RHEL6 content. > </note> > > -<note ref="770,918" auth="JB"> > +<note ref="812,813" auth="JB"> > +This needs to be added to the RHEL6 content; oddly OVAL checks already exist > for it. > +</note> > + > +<note ref="825,907,910,916,917" auth="JB"> > +Is this a concern on a modern system? > +</note> > + > +<note ref="770,918,921,922" auth="JB"> > This is covered in the RHEL6 content in a slightly different manner. > </note> > > +<note ref="827" auth="JB"> > +This needs to be added to the RHEL6 content, as well as a complete re-write > of its CUPS section. > +</note> > + > <note ref="12022" auth="JB"> > This is covered in the RHEL6 content in a slightly different manner: iptables > is required. > </note> > > -<note ref="12005" auth="JB"> > +<note ref="1011,12005" auth="JB"> > This is covered in the RHEL6 content in a slightly different manner: xinetd > is required to be disabled, and inetd is not available as part of RHEL6. > </note> > > @@ -68,7 +88,7 @@ This is covered in the RHEL6 content in a slightly > different manner: xinetd serv > Finger is still part of RHEL, and so a separate rule could be created for > this if we were so inclined. > </note> > > -<note ref="4692,4694,12006" auth="JB"> > +<note ref="835,4692,4694,12006" auth="JB"> > Postfix is the mail server on RHEL 6, and items peculiar to sendmail no > longer apply. > </note> > > diff --git a/RHEL6/input/profiles/STIG-server.xml > b/RHEL6/input/profiles/STIG-server.xml > index 08c8ddb..fa11c8e 100644 > --- a/RHEL6/input/profiles/STIG-server.xml > +++ b/RHEL6/input/profiles/STIG-server.xml > @@ -30,6 +30,12 @@ > <select idref="service_bluetooth_disabled" selected="true" /> > <select idref="account_disable_post_pw_expiration" selected="true" /> > > +<select idref="sticky_world_writable_dirs" selected="true" /> > +<select idref="world_writable_files_system_ownership" selected="true" /> > +<select idref="tftpd_uses_secure_mode" selected="true" /> > + > + > + > <select idref="ftp_present_banner" selected="true" /> > > <!-- from inherited Rule, limiting_password_reuse --> > -- > 1.7.1 > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
