Jeff, Always happy to help. I didn't make it all the way through the content since I 'think' Gary was working on some of the items lower in the list. I will double check with him and see if he has any updates. If not, I will go through can address the remaining items.
Vince -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jeffrey Blank Sent: Wednesday, August 15, 2012 7:41 AM To: [email protected] Subject: Re: [PATCH] RHEL 5 => RHEL 6 Mapping + comments Consider this an ACK -- and I just pushed it for you. Thanks very much -- we appreciate the help from Aqueduct. We are now fairly close to completion regarding analysis/documentation of the transition of best-practices settings from the RHEL 5 STIG to the RHEL 6 content. Ensuring completeness for the list of required settings for the STIG profile remains a very high and very short term priority for the project, and this advances that considerably. Thanks, Jeff On 08/14/2012 06:15 PM, Vincent Passaro wrote: > All, > > Here is my patch for the rundown of open line items being mapped to RHEL 6 > requirements. > > Hopefully I didn't screw this up too much, let me know if I did and I'll go > adjust. Be gentle, Aqueduct is all SVN, so still learning the oddities of > GIt. That and my eyes started bleeding about 1/2 through this. > > Thanks, > > Vince > > From a0cc954760b031f6c4014f323871373e8b40e750 Mon Sep 17 00:00:00 2001 > From: Vincent Passaro <[email protected]> > Date: Tue, 14 Aug 2012 15:10:07 -0700 > Subject: [PATCH] VP Patch for RHEL 5 / RHEL 6 Mapping > > --- > RHEL6/input/auxiliary/transition_notes.xml | 666 > +++++++++++++++++++++++++++++ > 1 file changed, 666 insertions(+) > > diff --git a/RHEL6/input/auxiliary/transition_notes.xml > b/RHEL6/input/auxiliary/transition_notes.xml > index 7cb67c2..d43ca16 100644 > --- a/RHEL6/input/auxiliary/transition_notes.xml > +++ b/RHEL6/input/auxiliary/transition_notes.xml > @@ -2,6 +2,672 @@ > <!-- This file enables documentation of how the RHEL 5 STIG requirements > will be migrated to consensus for RHEL 6. --> > > +<note ref="931" auth="VP"> > +This is not in the RHEL 6 content. Nosuid / nodev checks address perms on > NFS shares. > +</note> > + > +<note ref="1026" auth="VP"> > +This is not in the RHEL 6 content. The requirements SSL / Localhost will be > addressed via the Web Stig, there is no need (IMHO) to require this twice. > +</note> > + > +<note ref="1047" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="4387" auth="VP"> > +This is covered in the RHEL 6 content. The check CCE-3987-5 meets > +this requirement </note> > + > +<note ref="4392" auth="VP"> > +This is not covered in the RHEL 6 content. This check is entirely > +manual and shouldn't be added to RHEL 6 content </note> > + > +<note ref="4395" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="4397" auth="VP"> > +This is covered in the RHEL 6 content. CCE-4191-3 </note> > + > +<note ref="4399" auth="VP"> > +This is covered in the RHEL 6 content by setting NIS to disabled. > +</note> > + > +<note ref="4427" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="4428" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="4690" auth="VP"> > +This is covered in the RHEL 6 content. By applying patches, this > +requirement will be addressed </note> > + > +<note ref="4691" auth="VP"> > +This is covered in the RHEL 6 content. By applying patches, this > +requirement will be addressed </note> > + > +<note ref="4695" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="4697" auth="VP"> > +This is not covered in the RHEL 6 content. There is a check to > +disable a GUI, but a GUI is sometimes required for install of 3rd > +party apps (Oracle, Weblogic, etc) </note> > + > +<note ref="4702" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different manner. > +CCE-3919-8 is set vsftpd to off </note> > + > +<note ref="11976" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. CCE-4092-3 > sets pass max days in /etc/login.defs, not shadow. > +</note> > + > +<note ref="11980" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. > +CCE-17248-6 states a *.*, which would include the authpriv being > +submitted to the loghost. The audit.rules settings are not called > +out </note> > + > +<note ref="11980" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="11983" auth="VP"> > +This is not covered in the RHEL 6 content. This will have to be a manual > check IF it is to be included. > +</note> > + > +<note ref="11984" auth="VP"> > +This is not covered in the RHEL 6 content. Default settings from RH should > be acceptable for this and should be covered in the rpm verify check. > +</note> > + > +<note ref="11985" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="11987" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different manner. NIS+ > is to be set to disable / erased. > +</note> > + > +<note ref="11988" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different manner. > CCE-TODO requires .rhosts file to be removed. > +</note> > + > +<note ref="11989" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different manner. > CCE-TODO requires .rhosts file to be removed. > +</note> > + > +<note ref="11990" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="11995" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="11996" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="11999" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="12002" auth="VP"> > +This is covered in the RHEL 6 content. CCE-4236-6 </note> > + > +<note ref="12004" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. > +CCE-17248-6 states a *.*, which would include the authpriv being > +submitted to the loghost. The audit.rules settings are not called > +out </note> > + > +<note ref="12010" auth="VP"> > +This is covered in the RHEL 6 content. CCE-4236-6 </note> > + > +<note ref="12011" auth="VP"> > +This is not covered in the RHEL 6 content. The RHEL 6 requirement is > +to disable FTP </note> > + > +<note ref="12014" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="12017" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="12023" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="12028" auth="VP"> > +This is covered in the RHEL 6 content. This is a manual check. Previously > have addressed this with DISA about this that HBSS (which is required on > systems) meets this requirement. > +</note> > + > +<note ref="12030" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22301" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14735-5 </note> > + > +<note ref="22302" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14063-2 </note> > + > +<note ref="22303" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14063-2 </note> > + > +<note ref="22304" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14063-2 </note> > + > +<note ref="22305" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14063-2 </note> > + > +<note ref="22306" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14701-7 </note> > + > +<note ref="22307" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="22308" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22312" auth="VP"> > +This is not covered in the RHEL 6 content. This is a manual check. > +</note> > + > +<note ref="22339" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="22347" auth="VP"> > +This is covered in the RHEL 6 content. CCE-14300-8 </note> > + > +<note ref="22348" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22349" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22351" auth="VP"> > +This is not covered in the RHEL 6 content. This is a manual check. This > check typically fails with accounts for Oracle (ora:dba) is a good example of > this. > +</note> > + > +<note ref="22358" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22369" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="22374" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different > +mannger. RHEL 6 admin_space_left_action = ACTION </note> > + > +<note ref="22375" auth="VP"> > +This is covered in the RHEL 6 content in a slightly different > +mannger. RHEL 6 admin_space_left_action = ACTION </note> > + > +<note ref="22376" auth="VP"> > +-w /usr/sbin/useradd -p x -k useradd - Not in RHEL 6 -w > +/usr/sbin/groupadd -p x -k groupadd - Not in RHEL 6 -w /etc/passwd -p > +a -k passwd - Is in RHEL 6 -w /etc/shadow -p a -k shadow - Is in > +RHEL 6 > +-w /etc/group -p a -k group - Is in RHEL 6 > +-w /etc/gshadow -p a -k gshadow - Is in RHEL 6 </note> > + > +<note ref="22377" auth="VP"> > +-w /usr/sbin/usermod -p x -k usermod - Not in RHEL 6 -w > +/usr/sbin/groupmod -p x -k groupmod - Not in RHEL 6 -w /etc/passwd -p > +w -k passwd - Is in RHEL 6 -w /etc/shadow -p w -k shadow - Is in RHEL > +6 > +-w /etc/group -p w -k group - Is in RHEL 6 > +-w /etc/gshadow -p w -k gshadow - Is in RHEL 6 </note> > + > +<note ref="22378" auth="VP"> > +-w /usr/bin/passwd -p x -k passwd - Not in RHEL 6 </note> > + > +<note ref="22382" auth="VP"> > +-w /usr/sbin/userdel -p x - Not in RHEL 6 -w /usr/sbin/groupdel -p x > +- Not in RHEL 6 </note> > + > +<note ref="22383" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22385" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22391" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22397" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22404" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22405" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22408" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22409" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22410" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22411" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22414" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22415" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22416" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22417" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22418" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22419" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22421" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22422" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22429" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22430" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22431" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22432" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22433" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22434" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22440" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22447" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. > +CCE-3765-5 sets SNMP to disabled </note> > + > +<note ref="22448" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. > +CCE-3765-5 sets SNMP to disabled </note> > + > +<note ref="22449" auth="VP"> > +This is covered in RHEL 6 content in a slightly different manner. > +CCE-3765-5 sets SNMP to disabled </note> > + > +<note ref="22455" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22456" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22457" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22458" auth="VP"> > +This is not covered in RHEL 6 content. This is a manual check > +</note> > + > +<note ref="22461" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22462" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22463" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22470" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22471" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22472" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22473" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22474" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22475" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22485" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22486" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22487" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22488" auth="VP"> > +This is not covered in RHEL 6 content </note> > + > +<note ref="22490" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to disabled in > +RHEL 6 content </note> > + > +<note ref="22491" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to disabled in > +RHEL 6 content </note> > + > +<note ref="22499" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22500" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22501" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22506" auth="VP"> > +This is not covered in RHEL 6 content. This is a manual check > +</note> > + > +<note ref="22507" auth="VP"> > +This is not covered in RHEL 6 content. AIDE is set to be installed, but not > configuration changes are set for the aide.conf in RHEL 6 content. > +</note> > + > +<note ref="22508" auth="VP"> > +This is not covered in RHEL 6 content. AIDE is set to be installed, but not > configuration changes are set for the aide.conf in RHEL 6 content. > +</note> > + > +<note ref="22511" auth="VP"> > +This is covered in RHEL 6 content. > +</note> > + > +<note ref="22514" auth="VP"> > +This is covered in RHEL 6 content. > +</note> > + > +<note ref="22524" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22530" auth="VP"> > +This is covered in RHEL 6 content. > +</note> > + > +<note ref="22533" auth="VP"> > +This is covered in RHEL 6 content. > +</note> > + > +<note ref="22539" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22541" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22542" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22545" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22546" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22547" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22548" auth="VP"> > +This is covered in RHEL 6 content in a slightly different way. > +</note> > + > +<note ref="22549" auth="VP"> > +This is covered in RHEL 6 content in a slightly different way. > +</note> > + > +<note ref="22550" auth="VP"> > +This is covered in RHEL 6 content > +</note> > + > +<note ref="22553" auth="VP"> > +This is not covered in RHEL 6 content. IPV6 is set to be disabled > +</note> > + > +<note ref="22555" auth="VP"> > +This is covered in RHEL 6 content. > +</note> > + > +<note ref="22556" auth="VP"> > +This is covered in RHEL 6 content. This is a manual check </note> > + > +<note ref="22557" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22558" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22563" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22564" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22565" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22567" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22568" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22569" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22571" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22572" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22573" auth="VP"> > +This is not covered in RHEL 6 content. > +</note> > + > +<note ref="22575" auth="VP"> > +This is not covered in RHEL 6 content. *note* DISA FSO stated HBSS > +meets this requirement </note> > + > +<note ref="22577" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22582" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22583" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22586" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22587" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22588" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22589" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22598" auth="VP"> > +This is covered in the RHEL 6 content </note> > + > +<note ref="22665" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="22702" auth="VP"> > +This is not covered in the RHEL 6 content </note> > + > +<note ref="23732" auth="VP"> > +This is not covered in the RHEL 6 content. FTP is set to be disabled > +in RHEL 6 </note> > + > +<note ref="23736" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="23738" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="23739" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="23741" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="23952" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="23972" auth="VP"> > +This is not covered in the RHEL 6 content. IPV6 is set to be > +disabled </note> > + > +<note ref="24331" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="24384" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="24624" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="27250" auth="VP"> > +This is not covered in the RHEL 6 content. > +</note> > + > +<note ref="27283" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > + > +<note ref="27284" auth="VP"> > +This is covered in the RHEL 6 content. > +</note> > > <note > ref="760,923,925,4246,4247,4248,4255,4357,4398,11986,12018,12020,12021 > , 22310,22311,22578,22579,27251,22579,22580,27251" auth="JB"> > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide -- ___________________________ Jeffrey Blank 410-854-8675 Technology and Systems Analysis / Network Components NSA Information Assurance _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
