On 02/11/2013 11:26 AM, Jeffrey Blank wrote: > Yes :) > However, we may be able to do a bit better, even with OVAL if we > consider that the Rules: > > Ensure Log Files Are Owned By Appropriate Group unknown > Ensure System Log Files Have Correct Permissions unknown > > may be reformulated to: > Ensure Log Files Are stored in /var/log pass (if lucky)
Not the same thing. As written currently, files match rsyslog config. > > ...and I believe OVAL is capable of checking for this. Possibly. Recursive descent via "behavior", and I have not tested that. > > Other, existing checks for permissions on all files in /var/log should > then ensure that a non-compliant system will fail. As long as they are all root:root 0600. Not considering extended ACLS, btw, nor is "more restrictive" easily testable. > > So I ask the group: storing all log files in /var/log is a stronger > requirement, but is this a problem? Dunno about RHEL. This is not 100% the case on Ubuntu systems. The logs will usually be somewhere under /var/log. Permissions will differ, and are determined by entries in /etc/logrotate.d. > > (Really, the Rule for having a separate partition for /var/log is > already sort of assuming that we're doing this...) I don't think these are equivalent. In any case I have been directed to relax that particular requirement (separate filesystem for /var/log) for at least single-user workstations within NASA. Such rules will be altered via <Profile> to have role="unscored", severity="low", and selected="true". _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
