Signed-off-by: David Smith <[email protected]> --- RHEL6/input/system/accounts/banners.xml | 5 +++++ RHEL6/input/system/logging.xml | 23 +++++++++++++++++++++++ RHEL6/input/system/network/ipv6.xml | 8 ++++++-- 3 files changed, 34 insertions(+), 2 deletions(-)
diff --git a/RHEL6/input/system/accounts/banners.xml b/RHEL6/input/system/accounts/banners.xml index da5a16f..708ca75 100644 --- a/RHEL6/input/system/accounts/banners.xml +++ b/RHEL6/input/system/accounts/banners.xml @@ -51,6 +51,11 @@ Edit <tt>/etc/issue</tt>. Replace the default text with a message compliant with the local site policy or a legal disclaimer. <!--<sub idref="login_banner_text" />--> </description> +<ocil clause="it does not display a message compliant with the environment"> +To ensure the system login banner is compliant with the needs of the system environment, + run the following command: +<pre>$ cat /etc/issue</pre> +</ocil> <rationale> Although unlikely to dissuade a serious attacker, the warning message reinforces policy awareness during the logon process. diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index d24b421..854409d 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -126,6 +126,10 @@ If the owner is not <tt>root</tt>, run the following command to correct this: <pre># chown root <i>LOGFILE</i></pre> </description> +<ocil clause="the owner is not root"> +To see the owner of a given log file, run the following command: +<pre>$ ls -l <i>LOGFILE</i></pre> +</ocil> <rationale>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</rationale> @@ -147,6 +151,10 @@ If the owner is not <tt>root</tt>, run the following command to correct this: <pre># chgrp root <i>LOGFILE</i></pre> </description> +<ocil clause="the group-owner is not root"> +To see the group-owner of a given log file, run the following command: +<pre>$ ls -l <i>LOGFILE</i></pre> +</ocil> <rationale>The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access.</rationale> @@ -170,6 +178,11 @@ If the permissions are not 600 or more restrictive, run the following command to correct this: <pre># chmod 0600 <i>LOGFILE</i></pre> </description> +<ocil clause="the permissions are not correct"> +To see the permissions of a given log file, run the following command: +<pre>$ ls -l <i>LOGFILE</i></pre> +The permissions should be 600, or more restrictive. +</ocil> <rationale>Log files can contain valuable information regarding system configuratation. If the system log files are not protected unauthorized users could change the logged data, eliminaating their foresive value. @@ -228,6 +241,16 @@ To use TCP for log message delivery: To use RELP for log message delivery: <pre>*.* :omrelp:<i>loghost.example.com</i></pre> </description> +<ocil clause="neither of these are present"> +To ensure logs are sent to a remote host, examine the file +<pre>/etc/rsyslog.conf</pre> +If using UDP, a line similar to the following should be present: +<pre> *.* @<i>loghost.example.com</i></pre> +If using TCP, a line similar to the following should be present: +<pre> *.* @@<i>loghost.example.com</i></pre> +If using RELP, a line similar to the following should be present: +<pre> *.* :omrelp:<i>loghost.example.com</i></pre> +</ocil> <rationale>A log server (loghost) receives syslog messages from one or more systems. This data can be used as an additional log source in the event a system is compromised and its local logs are suspect. Forwarding log messages diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml index b703e1d..f065e56 100644 --- a/RHEL6/input/system/network/ipv6.xml +++ b/RHEL6/input/system/network/ipv6.xml @@ -22,10 +22,10 @@ instruct the IPv6 kernel module not to load it.</description> This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. </description> -<ocil> +<ocil clause="there are no such lines"> If the system is configured to prevent the loading of the <tt>ipv6</tt> kernel module, it will contain a line -of the form +of the form: <pre>options ipv6 disable=1</pre> inside any file in <tt>/etc/modprobe.d</tt> or the deprecated<tt>/etc/modprobe.conf</tt>. This permits insertion of the IPv6 kernel module (which other parts of the system @@ -128,6 +128,10 @@ advertisements should be: <tt><sub idref="sysctl_net_ipv6_conf_default_accept_ra <description>The setting for accepting IPv6 redirects should be: <tt><sub idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></tt> for all interfaces. To do so add the following lines to <tt>/etc/sysctl.conf</tt> to limit the configuration information requested from other systems, and accepted from the network: <pre>net.ipv6.conf.default.accept_redirects = <sub idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></pre> </description> +<ocil clause="there is not output"> +To ensure IPv6 redirects are disabled, run the following command: +<pre># grep ipv6 /etc/sysctl.conf</pre> +</ocil> <ident cce="CCE-4313-3" /> <oval id="sysctl_net_ipv6_conf_default_accept_redirects" value="sysctl_net_ipv6_conf_default_accept_redirects_value" /> <ref nist="CM-6, CM-7" /> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
