Re: modprobe - I guess that could be good if you're trying to load the module by hand and, instead of typing the command a few times before remembering that it was disabled, actually getting some feedback.
Re: auditd - I'm remembering this from reading the man pages, nothing more. They may, or may not, be accurate. Trevor On Tue, Feb 26, 2013 at 1:38 PM, Shaw, Ray V CTR (US) < [email protected]> wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > > - RHEL5 wants /etc/shadow to be 0400; RHEL6 wants this and /etc/gshadow > > at 0000. Not sure of the advantage of the latter. > > > > -> This matters for SELinux. > > Fair enough. > > > - RHEL5 wants module loading (DCCP, SCTP, Bluetooth, etc.) disabled > > with /bin/true; RHEL6 wants /bin/false. > > > > -> Not sure about this one. Perhaps it's for some logic checking code > > or it prevents overrides later down the stack. > > The only difference I can see is that /bin/false gives me this message: > > FATAL: Error running install command for Bluetooth > > and an exit code of 1, while /bin/true is silent (neither log anything to > dmesg or syslog) and has an exit code of 0. It's possible that it matters > for some deeper reason. > > > - RHEL5 wants audit rules to start with "exit,always"; RHEL6 wants them > > to start with "always,exit". Note that some of the actual RHEL6 > > benchmark content checks for both (e.g. adjtimex), while some (the > > majority) does not (e.g. chmod). > > > > -> This was a change in auditd itself. "exit,always" is no longer > > valid. > > As of which audit version? Unless I'm missing something (and based on the > logs, I don't think I am; the events I expect to see logged are being > logged, and with my specified key values), the same "exit,always" rules > from > my RHEL5 audit.rules work on RHEL6. > > [I do remember that at one point, one direction or the other didn't work on > RHEL5, but at the moment, both ways appear to work on both platforms.] > > If that syntax is invalid for newer versions of audit than are included in > RHEL6, okay, but this is supposed to be a RHEL6 STIG, and a rebase of the > audit system seems unlikely (as audit versions tend to be linked to kernel > versions, and a rebase of the kernel seems mighty unlikely). If both > syntaxes work on RHEL6, I would like to see all audit checks allow both > (instead of just the benchmark content of some audit checks). > > -- > Ray Shaw > Contractor, STG > Unix support, Army Research Labs > > Classification: UNCLASSIFIED > Caveats: NONE > > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
