Signed-off-by: David Smith <[email protected]> --- RHEL6/input/system/logging.xml | 3 +++ RHEL6/input/system/permissions/execution.xml | 5 +++++ RHEL6/input/system/permissions/partitions.xml | 5 +++++ 3 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index ff08cb8..514859d 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -383,6 +383,9 @@ enabled.</description> <rationale>Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full.</rationale> +<ocil> +<service-enable-check-macro service="logrotate" /> +</ocil> <ident cce="4182-2" /> <oval id="logrotate_rotate_all_files" /> <ref nist="AU-2, AU-9, CM-6" disa="366" /> diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index a80c40a..03e1c44 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -37,6 +37,11 @@ Setting the umask to too restrictive a setting can cause serious errors at runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. </description> +<ocil clause="it does not"> +To check the value of the <tt>umask</tt>, run the following command: +<pre>$ grep umask /etc/init.d/functions</pre> +The output should show either <tt>022</tt> or <tt>027</tt>. +</ocil> <rationale>The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</rationale> diff --git a/RHEL6/input/system/permissions/partitions.xml b/RHEL6/input/system/permissions/partitions.xml index 4efa626..8dd7720 100644 --- a/RHEL6/input/system/permissions/partitions.xml +++ b/RHEL6/input/system/permissions/partitions.xml @@ -64,6 +64,11 @@ certain types of worms or malicious code. </description> <rationale>Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise.</rationale> +<ocil clause="it does not"> +To verify that binaries cannot be directly executed from removable media, run the following command: +<pre># grep noexec /etc/fstab</pre> +The output should show <tt>noexec</tt> in use. +</ocil> <ident cce="4275-4" /> <oval id="mount_option_noexec_removable_partitions" value="var_removable_partition" /> <ref nist="CM-7, MP-2" disa="87" /> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
