Shawn, I'd noticed it had been removed in the RHEL6 content, but the inconsistency between the manual document and the benchmark had me confused. The inclusion of the csh.logout file in the manual document had me concerned about needing to do this to 'all' files. Thank you for the comments (here and on the other list).
-Rob > -----Original Message----- > From: [email protected] > [mailto:[email protected]] > On Behalf Of Shawn Wells > Sent: Tuesday, February 19, 2013 11:10 PM > To: [email protected] > Subject: Re: RHEL5 GEN001780 questions > > On 2/19/13 6:13 PM, Robert Sanders wrote: > > Afternoon folks, > > I'd like to get some feedback on GEN001780. Asked DISA > about this in a direct email some time ago and never heard > anything back. > > We had a customer having *major* problems with cronjobs > after implementing this STIG. Lots of messages showing up in > the logs about: > > Bad item passed to pam_*_item() > > pam_env(crond:setcred): pam_putenv: delete non-existent > entry; mesg n > > > > Back tracked finally to having 'mesg n' in /etc/environment. > > > > So my questions: > > > > 1) Is this line item looking for *at least* of the listed > files, or all files, to contain 'mesg n'? > > 2) The SCC tool seems to be looking for at a different set > of files than the manual-xccdf document. Which is correct? > > Manual doc - /etc/bashrc /etc/csh.cshrc /etc/csh.login > /etc/csh.logout /etc/environment /etc/ksh.kshrc /etc/profile > /etc/suid_profile /etc/profile.d/* > > SCC - /etc/bashrc /etc/profile /etc/environment > > /etc/security/environ /etc/.login /etc/profile.d/* > > 3) Why is /etc/environment on this list? The pam_env.so > module will process this file expecting to find "name=val" > pairs, of which 'mesg n' isn't, so it barfs and this seems to > upset the apple cart. > > 4) Why is /etc/security/environ in this list? I thought > that was an AIX specific file, not Linux? > > > > I'm posting this to another mailing list also, so folks may > see it twice. > > > > (properly answered on the gov-sec mailing list) > > In short: This rule is antiquated and removed from the RHEL6 STIG. In > RHEL5 you're only required to pick ONE of the files, not all. > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
