See attached patch for the following files
scap-security-guide/RHEL6/input/system/accounts/session.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_etc_profile.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_bash_users.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_csh.xml
scap-security-guide/RHEL6/input/checks/accounts_umask_login_defs.xml
scap-security-guide/RHEL6/input/profiles/usgcb-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/common.xml
scap-security-guide/RHEL6/input/profiles/maritz-rhel6-server.xml
scap-security-guide/RHEL6/input/profiles/test.xml
scap-security-guide/RHEL6/input/profiles/stig-rhel6-server.xml
result now are
Ensure the Default Bash Umask is Set Correctly fail
Ensure the Default C Shell Umask is Set Correctly fail
Ensure the Default Umask is Set Correctly in /etc/profile fail
Ensure the Default Umask is Set Correctly in login.defs pass
Set Daemon Umask fail
--
Brian Millett
Enterprise Consulting Group "Shifts in paradigms
(314) 205-9030 often cause nose bleeds."
bpmATec-groupDOTcom Greg Glenn
-------------------------------------------------------------------------
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed, and may contain confidential and privileged
information. Any review, retransmission, dissemination, reproduction, or other
uses of this information by persons or entities other than the intended
recipient is prohibited by law. If you believe that you have received this
e-mail
in error, please notify the sender and delete the message and any attachments
from your computer.
The recipient of this e-mail is solely responsible for checking for the presence
of computer viruses or other malicious software code. Enterprise Consulting
Group
accepts no liability for any damage caused by any such code transmitted by or
accompanying this e-mail or any attachment.
--- ./input/system/accounts/session.xml.orig 2013-02-05 19:24:21.154059732 -0600
+++ ./input/system/accounts/session.xml 2013-02-05 20:20:15.095815440 -0600
@@ -193,11 +193,40 @@
<pre>umask 077</pre>
</li>
-->
-<Value id="umask_user_value" type="string"
-operator="equals" interactive="0">
+<Value id="var_accounts_umask_bash_users" type="string" operator="equals" interactive="0">
<title>Sensible umask</title>
<description>Enter default user umask</description>
-<value selector="">027</value>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_csh" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_etc_profile" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
+<value selector="007">007</value>
+<value selector="022">022</value>
+<value selector="027">027</value>
+<value selector="077">077</value>
+</Value>
+
+<Value id="var_accounts_umask_login_defs" type="string" operator="equals" interactive="0">
+<title>Sensible umask</title>
+<description>Enter default user umask</description>
+<value selector="">077</value>
<value selector="007">007</value>
<value selector="022">022</value>
<value selector="027">027</value>
@@ -210,7 +239,7 @@
To ensure the default umask for users of the Bash shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/bashrc</tt> to read
as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_bash_users" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -226,7 +255,7 @@
</ocil>
<ident cce="26917-5" />
-<oval id="accounts_umask_bash_users" value="umask_user_value"/>
+<oval id="accounts_umask_bash_users" value="var_accounts_umask_bash_users"/>
<ref nist="" disa="366"/>
<tested by="swells" on="20120929"/>
</Rule>
@@ -236,7 +265,7 @@
<description>
To ensure the default umask for users of the C shell is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/csh.cshrc</tt> to read as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_csh" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -250,7 +279,7 @@
umask 077</pre>
</ocil>
<ident cce="27034-8" />
-<oval id="accounts_umask_csh" value="umask_user_value"/>
+<oval id="accounts_umask_csh" value="var_accounts_umask_csh"/>
<ref nist="" disa="366"/>
<tested by="swells" on="20120929"/>
</Rule>
@@ -260,7 +289,7 @@
<description>
To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:
-<pre>umask 077<!--<sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!--<sub idref="var_accounts_umask_etc_profile" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -274,7 +303,7 @@
<pre># grep "umask" /etc/profile
umask 077</pre>
</ocil>
-<oval id="accounts_umask_etc_profile" value="umask_user_value" />
+<oval id="accounts_umask_etc_profile" value="var_accounts_umask_etc_profile" />
<tested by="swells" on="20120929"/>
<ref nist="" disa="366"/>
</Rule>
@@ -284,7 +313,7 @@
<description>
To ensure the default umask controlled by <tt>/etc/login.defs</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/login.defs</tt> to read as follows:
-<pre>umask 077<!-- <sub idref="umask_user_value" /> --></pre>
+<pre>umask 077<!-- <sub idref="var_accounts_umask_login_defs" /> --></pre>
</description>
<rationale>The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and/or
@@ -298,7 +327,7 @@
umask 077</pre>
</ocil>
<ident cce="26371-5" />
-<oval id="accounts_umask_login_defs" value="umask_user_value" />
+<oval id="accounts_umask_login_defs" value="var_accounts_umask_login_defs" />
<ref nist="" disa="366"/>
<tested by="swells" on="20120929" />
</Rule>
--- ./input/checks/accounts_umask_etc_profile.xml.orig 2013-02-05 19:13:06.732138332 -0600
+++ ./input/checks/accounts_umask_etc_profile.xml 2013-02-05 19:17:21.672181348 -0600
@@ -11,25 +11,26 @@
correctly</description>
</metadata>
<criteria>
- <criterion test_ref="test_20090" />
+ <criterion test_ref="test_accounts_umask_etc_profile" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/profile file"
- id="test_20090" version="1">
- <ind:object object_ref="obj_20090" />
- <ind:state state_ref="state_20090" />
+ id="test_accounts_umask_etc_profile" version="1">
+ <ind:object object_ref="obj_accounts_umask_etc_profile" />
+ <ind:state state_ref="state_accounts_umask_etc_profile" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20090"
+ <ind:textfilecontent54_state id="state_accounts_umask_etc_profile"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20090" />
+ var_ref="var_accounts_umask_etc_profile" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20090"
- version="1" />
- <ind:textfilecontent54_object id="obj_20090"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_etc_profile" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_etc_profile"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>profile</ind:filename>
--- ./input/checks/accounts_umask_bash_users.xml.orig 2013-02-05 19:12:47.772245115 -0600
+++ ./input/checks/accounts_umask_bash_users.xml 2013-02-05 19:13:24.510333217 -0600
@@ -11,25 +11,26 @@
correctly for the bash shell</description>
</metadata>
<criteria>
- <criterion test_ref="test_20087" />
+ <criterion test_ref="test_accounts_umask_bash_users" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/bashrc file"
- id="test_20087" version="1">
- <ind:object object_ref="obj_20087" />
- <ind:state state_ref="state_20087" />
+ id="test_accounts_umask_bash_users" version="1">
+ <ind:object object_ref="obj_accounts_umask_bash_users" />
+ <ind:state state_ref="state_accounts_umask_bash_users" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20087"
+ <ind:textfilecontent54_state id="state_accounts_umask_bash_users"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20087" />
+ var_ref="var_accounts_umask_bash_users" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20087"
- version="1" />
- <ind:textfilecontent54_object id="obj_20087"
+
+ <external_variable comment="ensure users umask is set in bashrc" datatype="string" id="var_accounts_umask_bash_users" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_bash_users"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>bashrc</ind:filename>
--- ./input/checks/accounts_umask_csh.xml.orig 2013-02-05 19:12:57.635254603 -0600
+++ ./input/checks/accounts_umask_csh.xml 2013-02-05 19:15:53.797087905 -0600
@@ -11,25 +11,26 @@
correctly for the csh shell</description>
</metadata>
<criteria>
- <criterion test_ref="test_20088" />
+ <criterion test_ref="test_accounts_umask_csh" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/csh.cshrc file"
- id="test_20088" version="1">
- <ind:object object_ref="obj_20088" />
- <ind:state state_ref="state_20089" />
+ id="test_accounts_umask_csh" version="1">
+ <ind:object object_ref="obj_accounts_umask_csh" />
+ <ind:state state_ref="state_accounts_umask_csh" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20089"
+ <ind:textfilecontent54_state id="state_accounts_umask_csh"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20089" />
+ var_ref="var_accounts_umask_csh" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20089"
- version="1" />
- <ind:textfilecontent54_object id="obj_20088"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_csh" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_csh"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>csh.cshrc</ind:filename>
--- ./input/checks/accounts_umask_login_defs.xml.orig 2013-02-05 19:13:14.772287583 -0600
+++ ./input/checks/accounts_umask_login_defs.xml 2013-02-05 19:18:51.432742692 -0600
@@ -11,25 +11,26 @@
correctly</description>
</metadata>
<criteria>
- <criterion test_ref="test_20089" />
+ <criterion test_ref="test_accounts_umask_login_defs" />
</criteria>
</definition>
+
<ind:textfilecontent54_test check="all"
check_existence="all_exist"
comment="Tests the value of the ^[\s]*umask[\s]+([^#]*) expression in the /etc/login.defs file"
- id="test_20089" version="1">
- <ind:object object_ref="obj_20089" />
- <ind:state state_ref="state_20088" />
+ id="test_accounts_umask_login_defs" version="1">
+ <ind:object object_ref="obj_accounts_umask_login_defs" />
+ <ind:state state_ref="state_accounts_umask_login_defs" />
</ind:textfilecontent54_test>
- <ind:textfilecontent54_state id="state_20088"
+ <ind:textfilecontent54_state id="state_accounts_umask_login_defs"
version="1">
<ind:subexpression operation="equals" var_check="all"
- var_ref="var_20088" />
+ var_ref="var_accounts_umask_login_defs" />
</ind:textfilecontent54_state>
- <external_variable comment="External variable for definition 20087 - 20090"
- datatype="string" id="var_20088"
- version="1" />
- <ind:textfilecontent54_object id="obj_20089"
+
+ <external_variable comment="External variable for definition 20087 - 20090" datatype="string" id="var_accounts_umask_login_defs" version="1" />
+
+ <ind:textfilecontent54_object id="obj_accounts_umask_login_defs"
version="1">
<ind:path>/etc</ind:path>
<ind:filename>login.defs</ind:filename>
--- ./input/profiles/usgcb-rhel6-server.xml.orig 2013-02-05 19:24:46.663316515 -0600
+++ ./input/profiles/usgcb-rhel6-server.xml 2013-02-05 19:54:29.689064773 -0600
@@ -93,7 +93,10 @@
<select idref="root_path_no_dot" selected="true" />
<select idref="root_path_no_groupother_writable" selected="true" />
<select idref="homedir_perms_no_groupwrite_worldread" selected="true" />
-<refine-value idref="umask_user_value" selector="077" />
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="user_umask_bashrc" selected="true" />
<select idref="user_umask_cshrc" selected="true" />
<select idref="user_umask_profile" selected="true" />
--- ./input/profiles/common.xml.orig 2013-02-05 19:24:54.305363285 -0600
+++ ./input/profiles/common.xml 2013-02-05 19:54:24.185773580 -0600
@@ -254,7 +254,10 @@
<!-- Minimum number of characters not present in old password -->
<refine-value idref="password_history_retain_number" selector="5"/>
<!-- Passwords to remember -->
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<!-- Sensible umask -->
<refine-value idref="login_banner_text" selector="usgcb_default"/>
<!-- login banner verbiage -->
--- ./input/profiles/test.xml.orig 2013-02-05 19:25:03.207794057 -0600
+++ ./input/profiles/test.xml 2013-02-05 19:54:20.058847135 -0600
@@ -48,7 +48,10 @@
<select idref="user_umask_cshrc" selected="true" />
<select idref="user_umask_profile" selected="true" />
<select idref="user_umask_logindefs" selected="true" />
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="set_daemon_umask" selected="true"/>
--- ./input/profiles/stig-rhel6-server.xml.orig 2013-02-05 19:25:14.092099033 -0600
+++ ./input/profiles/stig-rhel6-server.xml 2013-02-05 19:54:16.386969577 -0600
@@ -70,7 +70,10 @@
<select idref="user_umask_logindefs" selected="true" />
-<refine-value idref="umask_user_value" selector="077"/>
+<refine-value idref="var_accounts_umask_bash_users" selector="077"/>
+<refine-value idref="var_accounts_umask_csh" selector="077"/>
+<refine-value idref="var_accounts_umask_etc_profile" selector="077"/>
+<refine-value idref="var_accounts_umask_login_defs" selector="077"/>
<select idref="set_daemon_umask" selected="true" />
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
