Those are in there. If you're looking at the prose guide output, they're in a section "Ensure That Users Have Sensible Umask Value."
It could also have made sense to put "all things umask" together, instead of separate sections for user session and system-wide settings (as we'd done). On 12/17/2012 07:03 PM, Shawn Wells wrote: > On 12/14/12 2:10 PM, David Smith wrote: >> Signed-off-by: David Smith <[email protected]> >> <mailto:[email protected]> >> --- >> RHEL6/input/system/logging.xml | 3 +++ >> RHEL6/input/system/permissions/execution.xml | 5 +++++ >> RHEL6/input/system/permissions/partitions.xml | 5 +++++ >> 3 files changed, 13 insertions(+), 0 deletions(-) >> >> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml >> index ff08cb8..514859d 100644 >> --- a/RHEL6/input/system/logging.xml >> +++ b/RHEL6/input/system/logging.xml >> @@ -383,6 +383,9 @@ enabled.</description> >> <rationale>Log files that are not properly rotated run the risk of growing >> so large >> that they fill up the /var/log partition. Valuable logging information >> could be lost >> if the /var/log partition becomes full.</rationale> >> +<ocil> >> +<service-enable-check-macro service="logrotate" /> >> +</ocil> >> <ident cce="4182-2" /> >> <oval id="logrotate_rotate_all_files" /> >> <ref nist="AU-2, AU-9, CM-6" disa="366" /> >> diff --git a/RHEL6/input/system/permissions/execution.xml >> b/RHEL6/input/system/permissions/execution.xml >> index a80c40a..03e1c44 100644 >> --- a/RHEL6/input/system/permissions/execution.xml >> +++ b/RHEL6/input/system/permissions/execution.xml >> @@ -37,6 +37,11 @@ Setting the umask to too restrictive a setting can cause >> serious errors at >> runtime. Many daemons on the system already individually restrict >> themselves to >> a umask of 077 in their own init scripts. >> </description> >> +<ocil clause="it does not"> >> +To check the value of the <tt>umask</tt>, run the following command: >> +<pre>$ grep umask /etc/init.d/functions</pre> >> +The output should show either <tt>022</tt> or <tt>027</tt>. >> +</ocil> > > What about /etc/profile, /etc/bashrc, /etc/csh.cshrc, etc? > > >> <rationale>The umask influences the permissions assigned to files created >> by a >> process at run time. An unnecessarily permissive umask could result in >> files >> being created with insecure permissions.</rationale> >> diff --git a/RHEL6/input/system/permissions/partitions.xml >> b/RHEL6/input/system/permissions/partitions.xml >> index 4efa626..8dd7720 100644 >> --- a/RHEL6/input/system/permissions/partitions.xml >> +++ b/RHEL6/input/system/permissions/partitions.xml >> @@ -64,6 +64,11 @@ certain types of worms or malicious code. >> </description> >> <rationale>Allowing users to execute binaries from removable media such as >> USB keys exposes >> the system to potential compromise.</rationale> >> +<ocil clause="it does not"> >> +To verify that binaries cannot be directly executed from removable media, >> run the following command: >> +<pre># grep noexec /etc/fstab</pre> >> +The output should show <tt>noexec</tt> in use. >> +</ocil> >> <ident cce="4275-4" /> >> <oval id="mount_option_noexec_removable_partitions" >> value="var_removable_partition" /> >> <ref nist="CM-7, MP-2" disa="87" /> >> -- 1.7.1 > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
