+1 on that, I have been seeing a bunch of dups. I have some other notes that I'M keeping about some of the configuration recommendations, for example:
If a password exists for a service account its declared a finding and passwd -l <account name> should be done, but passwd -l only puts !! In front of the hash to lock the account and does not remove the hash. I'm assuming this is going to cause some false positives in scanning. So maybe some extra wording saying that if a has exists and !! Comes before it, then its not a finding? I'm keeping track of everything as I develop the STIG content, so will report back as I mow through everything. P.S. From the RHEL5 Beta STIG to the RHEL5 Final no change log or revision tracking was done, which makes updating content a nightmare--especially if there are dups of like checks. Maybe we can ping DISA to try and implement that? R/ Vincent C. Passaro CISSP, L|PT, E|CSA, C|EH, CEPT, CPT, LPIC-3 (Core/Security), RHCSA, Novell CLA, MCP, Security+, A+ CELL: 760-846-1812 Office: 888-75-FOTIS Fax: 617-454-1121 [email protected] www.fotisnetworks.com On 2/15/13 11:21 AM, "Robert Sanders" <[email protected]> wrote: >Morning all, > I've been looking over the draft stig and had some observations (some >of which may be complete naïve) > >- noticed that *many* of the STIG line items have the content duplicated >almost exactly (different CCI number perhaps). IPv4/IPv6 firewall items >for example. Is there a requirement somewhere that each CCI number must >match a discrete STIG? > >- regarding the SSH settings - many of the settings for >/etc/ssh/sshd_config are duplicated, but I see no corresponding settings >for /etc/ssh/ssh_config (Protocol, ciphers, etc). > >- really noob one - if IPv6 is disable, can ip6tables actually start? If >not, then by disabling ipv6 you are always going to get dinged by not >having ip6tables active. > > >Other than those questions - outstanding work! > >-Rob >_______________________________________________ >scap-security-guide mailing list >[email protected] >https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
