ack -- please push On 09/26/2012 01:22 PM, David Smith wrote: > Signed-off-by: David Smith <[email protected]> > --- > RHEL6/input/system/accounts/banners.xml | 5 +++++ > RHEL6/input/system/logging.xml | 23 +++++++++++++++++++++++ > RHEL6/input/system/network/ipv6.xml | 8 ++++++-- > 3 files changed, 34 insertions(+), 2 deletions(-) > > diff --git a/RHEL6/input/system/accounts/banners.xml > b/RHEL6/input/system/accounts/banners.xml > index da5a16f..708ca75 100644 > --- a/RHEL6/input/system/accounts/banners.xml > +++ b/RHEL6/input/system/accounts/banners.xml > @@ -51,6 +51,11 @@ Edit <tt>/etc/issue</tt>. Replace the default text with a > message > compliant with the local site policy or a legal disclaimer. > <!--<sub idref="login_banner_text" />--> > </description> > +<ocil clause="it does not display a message compliant with the environment"> > +To ensure the system login banner is compliant with the needs of the system > environment, > + run the following command: > +<pre>$ cat /etc/issue</pre> > +</ocil> > <rationale> > Although unlikely to dissuade a serious attacker, the warning message > reinforces policy awareness during the logon process. > diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml > index d24b421..854409d 100644 > --- a/RHEL6/input/system/logging.xml > +++ b/RHEL6/input/system/logging.xml > @@ -126,6 +126,10 @@ If the owner is not <tt>root</tt>, run the following > command to > correct this: > <pre># chown root <i>LOGFILE</i></pre> > </description> > +<ocil clause="the owner is not root"> > +To see the owner of a given log file, run the following command: > +<pre>$ ls -l <i>LOGFILE</i></pre> > +</ocil> > <rationale>The log files generated by rsyslog contain valuable information > regarding system > configuration, user authentication, and other such information. Log files > should be > protected from unauthorized access.</rationale> > @@ -147,6 +151,10 @@ If the owner is not <tt>root</tt>, run the following > command to > correct this: > <pre># chgrp root <i>LOGFILE</i></pre> > </description> > +<ocil clause="the group-owner is not root"> > +To see the group-owner of a given log file, run the following command: > +<pre>$ ls -l <i>LOGFILE</i></pre> > +</ocil> > <rationale>The log files generated by rsyslog contain valuable information > regarding system > configuration, user authentication, and other such information. Log files > should be > protected from unauthorized access.</rationale> > @@ -170,6 +178,11 @@ If the permissions are not 600 or more restrictive, > run the following command to correct this: > <pre># chmod 0600 <i>LOGFILE</i></pre> > </description> > +<ocil clause="the permissions are not correct"> > +To see the permissions of a given log file, run the following command: > +<pre>$ ls -l <i>LOGFILE</i></pre> > +The permissions should be 600, or more restrictive. > +</ocil> > <rationale>Log files can contain valuable information regarding system > configuratation. If the system log files are not protected unauthorized > users could change the logged data, eliminaating their foresive value. > @@ -228,6 +241,16 @@ To use TCP for log message delivery: > To use RELP for log message delivery: > <pre>*.* :omrelp:<i>loghost.example.com</i></pre> > </description> > +<ocil clause="neither of these are present"> > +To ensure logs are sent to a remote host, examine the file > +<pre>/etc/rsyslog.conf</pre> > +If using UDP, a line similar to the following should be present: > +<pre> *.* @<i>loghost.example.com</i></pre> > +If using TCP, a line similar to the following should be present: > +<pre> *.* @@<i>loghost.example.com</i></pre> > +If using RELP, a line similar to the following should be present: > +<pre> *.* :omrelp:<i>loghost.example.com</i></pre> > +</ocil> > <rationale>A log server (loghost) receives syslog messages from one or more > systems. This data can be used as an additional log source in the event a > system is compromised and its local logs are suspect. Forwarding log messages > diff --git a/RHEL6/input/system/network/ipv6.xml > b/RHEL6/input/system/network/ipv6.xml > index b703e1d..f065e56 100644 > --- a/RHEL6/input/system/network/ipv6.xml > +++ b/RHEL6/input/system/network/ipv6.xml > @@ -22,10 +22,10 @@ instruct the IPv6 kernel module not to load > it.</description> > This permits the IPv6 module to be loaded (and thus satisfy other modules > that depend on it), > while disabling support for the IPv6 protocol. > </description> > -<ocil> > +<ocil clause="there are no such lines"> > If the system is configured to prevent the loading of the > <tt>ipv6</tt> kernel module, it will contain a line > -of the form > +of the form: > <pre>options ipv6 disable=1</pre> > inside any file in <tt>/etc/modprobe.d</tt> or the > deprecated<tt>/etc/modprobe.conf</tt>. > This permits insertion of the IPv6 kernel module (which other parts of the > system > @@ -128,6 +128,10 @@ advertisements should be: <tt><sub > idref="sysctl_net_ipv6_conf_default_accept_ra > <description>The setting for accepting IPv6 redirects should be: <tt><sub > idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></tt> for all > interfaces. To do so add the following lines to <tt>/etc/sysctl.conf</tt> to > limit the configuration information requested from other systems, and > accepted from the network: > <pre>net.ipv6.conf.default.accept_redirects = <sub > idref="sysctl_net_ipv6_conf_default_accept_redirects_value" /></pre> > </description> > +<ocil clause="there is not output"> > +To ensure IPv6 redirects are disabled, run the following command: > +<pre># grep ipv6 /etc/sysctl.conf</pre> > +</ocil> > <ident cce="CCE-4313-3" /> > <oval id="sysctl_net_ipv6_conf_default_accept_redirects" > value="sysctl_net_ipv6_conf_default_accept_redirects_value" /> > <ref nist="CM-6, CM-7" />
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
