On 12/14/12 2:10 PM, David Smith wrote:
Signed-off-by: David Smith<[email protected]>
---
RHEL6/input/system/logging.xml | 3 +++
RHEL6/input/system/permissions/execution.xml | 5 +++++
RHEL6/input/system/permissions/partitions.xml | 5 +++++
3 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml
index ff08cb8..514859d 100644
--- a/RHEL6/input/system/logging.xml
+++ b/RHEL6/input/system/logging.xml
@@ -383,6 +383,9 @@ enabled.</description>
<rationale>Log files that are not properly rotated run the risk of growing so
large
that they fill up the /var/log partition. Valuable logging information could
be lost
if the /var/log partition becomes full.</rationale>
+<ocil>
+<service-enable-check-macro service="logrotate" />
+</ocil>
<ident cce="4182-2" />
<oval id="logrotate_rotate_all_files" />
<ref nist="AU-2, AU-9, CM-6" disa="366" />
diff --git a/RHEL6/input/system/permissions/execution.xml
b/RHEL6/input/system/permissions/execution.xml
index a80c40a..03e1c44 100644
--- a/RHEL6/input/system/permissions/execution.xml
+++ b/RHEL6/input/system/permissions/execution.xml
@@ -37,6 +37,11 @@ Setting the umask to too restrictive a setting can cause
serious errors at
runtime. Many daemons on the system already individually restrict themselves
to
a umask of 077 in their own init scripts.
</description>
+<ocil clause="it does not">
+To check the value of the <tt>umask</tt>, run the following command:
+<pre>$ grep umask /etc/init.d/functions</pre>
+The output should show either <tt>022</tt> or <tt>027</tt>.
+</ocil>
What about /etc/profile, /etc/bashrc, /etc/csh.cshrc, etc?
<rationale>The umask influences the permissions assigned to files created by a
process at run time. An unnecessarily permissive umask could result in files
being created with insecure permissions.</rationale>
diff --git a/RHEL6/input/system/permissions/partitions.xml
b/RHEL6/input/system/permissions/partitions.xml
index 4efa626..8dd7720 100644
--- a/RHEL6/input/system/permissions/partitions.xml
+++ b/RHEL6/input/system/permissions/partitions.xml
@@ -64,6 +64,11 @@ certain types of worms or malicious code.
</description>
<rationale>Allowing users to execute binaries from removable media such as
USB keys exposes
the system to potential compromise.</rationale>
+<ocil clause="it does not">
+To verify that binaries cannot be directly executed from removable media, run
the following command:
+<pre># grep noexec /etc/fstab</pre>
+The output should show <tt>noexec</tt> in use.
+</ocil>
<ident cce="4275-4" />
<oval id="mount_option_noexec_removable_partitions"
value="var_removable_partition" />
<ref nist="CM-7, MP-2" disa="87" />
-- 1.7.1
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
