On 12/3/12 6:54 PM, Shawn Wells wrote:
In support of ticket 163
https://fedorahosted.org/scap-security-guide/ticket/163
0001-DISA-FSO-requested-updates-to-RHEL6-input-system-sof.patch
From 43c14d9a5474491d7241f105b496dafadf813403 Mon Sep 17 00:00:00 2001
From: Shawn Wells<[email protected]>
Date: Mon, 3 Dec 2012 20:51:52 -0500
Subject: [PATCH] DISA FSO requested updates to
RHEL6/input/system/software/updating.xml
DISA FSO requested updates to RHEL6/input/system/software/updating.xml
Thank you FSO for the copy editing!
---
RHEL6/input/system/software/updating.xml | 22 +++++++++++-----------
1 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/system/software/updating.xml
b/RHEL6/input/system/software/updating.xml
index 4ed4123..9bb8611 100644
--- a/RHEL6/input/system/software/updating.xml
+++ b/RHEL6/input/system/software/updating.xml
@@ -21,20 +21,20 @@ for this reason, their use is strongly encouraged.
<Rule id="ensure_redhat_gpgkey_installed" severity="high">
<title>Ensure Red Hat GPG Key Installed</title>
<description>
-To ensure that the system can cryptographically verify base software
+To ensure the system can cryptographically verify base software
packages come from Red Hat (and to connect to the Red Hat Network to
receive them if desired), the Red Hat GPG key must properly be installed.
-To ensure that the GPG key is installed, run:
+To ensure the GPG key is installed, run:
<pre># rhn_register</pre>
</description>
<ocil clause="the Red Hat GPG Key isn't installed">
-To ensure that the GPG key is installed, run:
+To ensure the GPG key is installed, run:
<pre>$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey</pre>
-The command should return the string:
+The command should return the string below:
<pre>gpg(Red Hat, Inc. (release key <[email protected]>)</pre>
</ocil>
<rationale>
-This key is necessary to cryptographically verify that packages
+This key is necessary to cryptographically verify packages
are from Red Hat.
</rationale>
<ident cce="14440-2"/>
@@ -48,16 +48,16 @@ are from Red Hat.
ensure they have configured an update source! -->
<Rule id="ensure_gpgcheck_globally_activated" severity="high">
<title>Ensure gpgcheck Enabled In Main Yum Configuration</title>
-<description>The <tt>gpgcheck</tt> option should be used to ensure that
+<description>The <tt>gpgcheck</tt> option should be used to ensure
checking of an RPM package's signature always occurs prior to its
installation. To configure yum to check package signatures before installing
-them, ensure that the following line appears in <tt>/etc/yum.conf</tt> in
+them, ensure the following line appears in <tt>/etc/yum.conf</tt> in
the <tt>[main]</tt> section:
<pre>gpgcheck=1</pre>
</description>
<ocil clause="GPG checking isn't enabled">
To determine whether <tt>yum</tt> is configured to use <tt>gpgcheck</tt>,
-inspect <tt>/etc/yum.conf</tt> and ensure that the following appears in the
+inspect <tt>/etc/yum.conf</tt> and ensure the following appears in the
<tt>[main]</tt> section:
<pre>gpgcheck=1</pre>
A value of <tt>1</tt> indicates that <tt>gpgcheck</tt> is enabled. Absence of
a
@@ -77,20 +77,20 @@ protects against malicious tampering.
<Rule id="ensure_gpgcheck_never_disabled" severity="high">
<title>Ensure gpgcheck Enabled For All Yum Package Repositories</title>
-<description>To ensure that signature checking is not disabled for
+<description>To ensure signature checking is not disabled for
any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the
form:
<pre>gpgcheck=0</pre>
</description>
<ocil clause="GPG checking is disabled">
To determine whether <tt>yum</tt> has been configured to disable
<tt>gpgcheck</tt> for any repos, inspect all files in
-<tt>/etc/yum.repos.d</tt> and ensure that the following does not appear in any
+<tt>/etc/yum.repos.d</tt> and ensure the following does not appear in any
sections:
<pre>gpgcheck=0</pre>
A value of <tt>0</tt> indicates that <tt>gpgcheck</tt> has been disabled for
that repo.
</ocil>
<rationale>
-Ensuring that all packages' cryptographic signatures are valid prior to
+Ensuring all packages' cryptographic signatures are valid prior to
installation ensures the provenance of the software and
protects against malicious tampering.
</rationale>
-- 1.7.1
Ack and pushed
--
Shawn Wells
Technical Director,
U.S. Intelligence Programs
(e) [email protected]
(c) 443.534.0130
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
