See attached patch for the following files
scap-security-guide/RHEL6/input/system/accounts/session.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_etc_profile.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_bash_users.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_csh.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_login_defs.xml
scap-security-guide/RHEL6/input/profiles/usgcb-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/common.xml
scap-security-guide/RHEL6/input/profiles/maritz-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/test.xml
scap-security-guide/RHEL6/input/profiles/stig-rhel6-server.xml
result now are
Ensure the Default Bash Umask is Set Correctly fail
Ensure the Default C Shell Umask is Set Correctly fail
Ensure the Default Umask is Set Correctly in /etc/profile fail
Ensure the Default Umask is Set Correctly in login.defs pass
Set Daemon Umask fail
--
Brian Millett
"If anyone asks, say it fell from the sky."
-- [ Delenn to Sinclair (re: Vorlon files), "The Gathering"]
--- ./input/system/accounts/session.xml.orig 2013-02-05 19:24:21.154059732 -0600
+++ ./input/system/accounts/session.xml 2013-02-05 20:20:15.095815440 -0600
@@ -193,11 +193,40 @@
<pre>umask 077</pre>
</li>
-->
-<Value id="umask_user_value" type="string"
-operator="equals" interactive="0">
+<Value id="var_accounts_umask_bash_users" type="string" operator="equals" interactive="0">
<title>Sensible umask</title>
<description>Enter default user umask</description>
-<value selector="">027</value>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_csh" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_etc_profile" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_login_defs" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
@@ -210,7 +239,7 @@
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_bash_users" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -226,7 +255,7 @@
</ocil>
<ident cce="26917-5" />
-<oval id="accounts_umask_bash_users" value="umask_user_value"/>
+<oval id="accounts_umask_bash_users" value="var_accounts_umask_bash_users"/>
<ref nist="" disa="366"/>
<tested by="swells" on="20120929"/>
</Rule>
@@ -236,7 +265,7 @@
<description>
To ensure the default umask for users of the C shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_csh" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -250,7 +279,7 @@
umask 077</pre>
</ocil>
<ident cce="27034-8" />
-<oval id="accounts_umask_csh" value="umask_user_value"/>
+<oval id="accounts_umask_csh" value="var_accounts_umask_csh"/>
<ref nist="" disa="366"/>
<tested by="swells" on="20120929"/>
</Rule>
@@ -260,7 +289,7 @@
<description>
To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:
-<pre>umask 077<!--<sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!--<sub idref="var_accounts_umask_etc_profile" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -274,7 +303,7 @@
<pre># grep "umask" /etc/profile
umask 077</pre>
</ocil>
-<oval id="accounts_umask_etc_profile" value="umask_user_value" />
+<oval id="accounts_umask_etc_profile" value="var_accounts_umask_etc_profile" />
<tested by="swells" on="20120929"/>
<ref nist="" disa="366"/>
</Rule>
@@ -284,7 +313,7 @@
<description>
To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_login_defs" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -298,7 +327,7 @@
umask 077</pre>
</ocil>
<ident cce="26371-5" />
-<oval id="accounts_umask_login_defs" value="umask_user_value" />
+<oval id="accounts_umask_login_defs" value="var_accounts_umask_login_defs" />
<ref nist="" disa="366"/>
<tested by="swells" on="20120929" />
</Rule>
--- ./input/checks/accounts_umask_etc_profile.xml.orig 2013-02-05 19:13:06.732138332 -0600
+++ ./input/checks/accounts_umask_etc_profile.xml 2013-02-05 19:17:21.672181348 -0600
@@ -11,25 +11,26 @@
correctly</description>
</metadata>
<criteria>
- <criterion test_ref="test_20090" />
+ <criterion test_ref="test_accounts_umask_etc_profile" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/profile file"
- id="test_20090" version="1">
- <ind:object object_ref="obj_20090" />
- <ind:state state_ref="state_20090" />
+ id="test_accounts_umask_etc_profile" version="1">
+ <ind:object object_ref="obj_accounts_umask_etc_profile" />
+ <ind:state state_ref="state_accounts_umask_etc_profile" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20090"
+ <ind:textfilecontent54_state id="state_accounts_umask_etc_profile"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20090" />
+ var_ref="var_accounts_umask_etc_profile" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20090"
- version="1" />
- <ind:textfilecontent54_object id="obj_20090"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_etc_profile" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_etc_profile"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>profile</ind:filename>
--- ./input/checks/accounts_umask_bash_users.xml.orig 2013-02-05 19:12:47.772245115 -0600
+++ ./input/checks/accounts_umask_bash_users.xml 2013-02-05 19:13:24.510333217 -0600
@@ -11,25 +11,26 @@
correctly for the bash shell</description>
</metadata>
<criteria>
- <criterion test_ref="test_20087" />
+ <criterion test_ref="test_accounts_umask_bash_users" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/bashrc file"
- id="test_20087" version="1">
- <ind:object object_ref="obj_20087" />
- <ind:state state_ref="state_20087" />
+ id="test_accounts_umask_bash_users" version="1">
+ <ind:object object_ref="obj_accounts_umask_bash_users" />
+ <ind:state state_ref="state_accounts_umask_bash_users" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20087"
+ <ind:textfilecontent54_state id="state_accounts_umask_bash_users"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20087" />
+ var_ref="var_accounts_umask_bash_users" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20087"
- version="1" />
- <ind:textfilecontent54_object id="obj_20087"
+
+ <external_variable comment="ensure users umask is set in bashrc" datatype="string" id="var_accounts_umask_bash_users" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_bash_users"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>bashrc</ind:filename>
--- ./input/checks/accounts_umask_csh.xml.orig 2013-02-05 19:12:57.635254603 -0600
+++ ./input/checks/accounts_umask_csh.xml 2013-02-05 19:15:53.797087905 -0600
@@ -11,25 +11,26 @@
correctly for the csh shell</description>
</metadata>
<criteria>
- <criterion test_ref="test_20088" />
+ <criterion test_ref="test_accounts_umask_csh" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/csh.cshrc file"
- id="test_20088" version="1">
- <ind:object object_ref="obj_20088" />
- <ind:state state_ref="state_20089" />
+ id="test_accounts_umask_csh" version="1">
+ <ind:object object_ref="obj_accounts_umask_csh" />
+ <ind:state state_ref="state_accounts_umask_csh" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20089"
+ <ind:textfilecontent54_state id="state_accounts_umask_csh"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20089" />
+ var_ref="var_accounts_umask_csh" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20089"
- version="1" />
- <ind:textfilecontent54_object id="obj_20088"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_csh" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_csh"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>csh.cshrc</ind:filename>
--- ./input/checks/accounts_umask_login_defs.xml.orig 2013-02-05 19:13:14.772287583 -0600
+++ ./input/checks/accounts_umask_login_defs.xml 2013-02-05 19:18:51.432742692 -0600
@@ -11,25 +11,26 @@
correctly</description>
</metadata>
<criteria>
- <criterion test_ref="test_20089" />
+ <criterion test_ref="test_accounts_umask_login_defs" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/login.defs file"
- id="test_20089" version="1">
- <ind:object object_ref="obj_20089" />
- <ind:state state_ref="state_20088" />
+ id="test_accounts_umask_login_defs" version="1">
+ <ind:object object_ref="obj_accounts_umask_login_defs" />
+ <ind:state state_ref="state_accounts_umask_login_defs" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20088"
+ <ind:textfilecontent54_state id="state_accounts_umask_login_defs"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20088" />
+ var_ref="var_accounts_umask_login_defs" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20088"
- version="1" />
- <ind:textfilecontent54_object id="obj_20089"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_login_defs" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_login_defs"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>login.defs</ind:filename>
--- ./input/profiles/usgcb-rhel6-server.xml.orig 2013-02-05 19:24:46.663316515 -0600
+++ ./input/profiles/usgcb-rhel6-server.xml 2013-02-05 19:54:29.689064773 -0600
@@ -93,7 +93,10 @@
<select idref="root_path_no_dot" selected="true" />
<select idref="root_path_no_groupother_writable" selected="true" />
<select idref="homedir_perms_no_groupwrite_worldread" selected="true" />
-<refine-value idref="umask_user_value" selector="077" />
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="user_umask_bashrc" selected="true" />
<select idref="user_umask_cshrc" selected="true" />
<select idref="user_umask_profile" selected="true" />
--- ./input/profiles/common.xml.orig 2013-02-05 19:24:54.305363285 -0600
+++ ./input/profiles/common.xml 2013-02-05 19:54:24.185773580 -0600
@@ -254,7 +254,10 @@
<!-- Minimum number of characters not present in old password -->
<refine-value idref="password_history_retain_number" selector="5"/>
<!-- Passwords to remember -->
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<!-- Sensible umask -->
<refine-value idref="login_banner_text" selector="usgcb_default"/>
<!-- login banner verbiage -->
--- ./input/profiles/test.xml.orig 2013-02-05 19:25:03.207794057 -0600
+++ ./input/profiles/test.xml 2013-02-05 19:54:20.058847135 -0600
@@ -48,7 +48,10 @@
<select idref="user_umask_cshrc" selected="true" />
<select idref="user_umask_profile" selected="true" />
<select idref="user_umask_logindefs" selected="true" />
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="set_daemon_umask" selected="true"/>
--- ./input/profiles/stig-rhel6-server.xml.orig 2013-02-05 19:25:14.092099033 -0600
+++ ./input/profiles/stig-rhel6-server.xml 2013-02-05 19:54:16.386969577 -0600
@@ -70,7 +70,10 @@
<select idref="user_umask_logindefs" selected="true" />
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="set_daemon_umask" selected="true" />
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
