Classification: UNCLASSIFIED Caveats: NONE > - RHEL5 wants /etc/shadow to be 0400; RHEL6 wants this and /etc/gshadow > at 0000. Not sure of the advantage of the latter. > > -> This matters for SELinux.
Fair enough. > - RHEL5 wants module loading (DCCP, SCTP, Bluetooth, etc.) disabled > with /bin/true; RHEL6 wants /bin/false. > > -> Not sure about this one. Perhaps it's for some logic checking code > or it prevents overrides later down the stack. The only difference I can see is that /bin/false gives me this message: FATAL: Error running install command for Bluetooth and an exit code of 1, while /bin/true is silent (neither log anything to dmesg or syslog) and has an exit code of 0. It's possible that it matters for some deeper reason. > - RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants them > to start with "always,exit". Note that some of the actual RHEL6 > benchmark content checks for both (e.g. adjtimex), while some (the > majority) does not (e.g. chmod). > > -> This was a change in auditd itself. "exit,always" is no longer > valid. As of which audit version? Unless I'm missing something (and based on the logs, I don't think I am; the events I expect to see logged are being logged, and with my specified key values), the same "exit,always" rules from my RHEL5 audit.rules work on RHEL6. [I do remember that at one point, one direction or the other didn't work on RHEL5, but at the moment, both ways appear to work on both platforms.] If that syntax is invalid for newer versions of audit than are included in RHEL6, okay, but this is supposed to be a RHEL6 STIG, and a rebase of the audit system seems unlikely (as audit versions tend to be linked to kernel versions, and a rebase of the kernel seems mighty unlikely). If both syntaxes work on RHEL6, I would like to see all audit checks allow both (instead of just the benchmark content of some audit checks). -- Ray Shaw Contractor, STG Unix support, Army Research Labs Classification: UNCLASSIFIED Caveats: NONE
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
