Signed-off-by: David Smith <[email protected]> --- RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/system/accounts/session.xml | 4 ++-- RHEL6/input/system/logging.xml | 14 ++++++++++++-- RHEL6/input/system/network/kernel.xml | 6 +++--- RHEL6/input/system/permissions/files.xml | 20 ++++++++++++++++++++ 5 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index 655bfa8..c9fdb8f 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -150,7 +150,7 @@ Users must not be able to change passwords more than once every 24 hours. User passwords must be changed at least every 60 days. </title> <title rule="password_warn_age" shorttitle="Set Password Warning Age"> -Users must be warned 14 days in advance of password expiration. +Users must be warned 7 days in advance of password expiration. </title> <title rule="account_disable_post_pw_expiration" shorttitle="Set Account Expiration Following Inactivity"> Accounts must be locked upon 35 days of inactivity. diff --git a/RHEL6/input/system/accounts/session.xml b/RHEL6/input/system/accounts/session.xml index faa5295..eeeea6b 100644 --- a/RHEL6/input/system/accounts/session.xml +++ b/RHEL6/input/system/accounts/session.xml @@ -290,9 +290,9 @@ written to by unauthorized users.</rationale> <ocil clause="the above command returns no output, or if the umask is configured incorrectly"> Verify the <tt>UMASK</tt> setting is configured correctly in the <tt>/etc/login.defs</tt> file by running the following command: -<pre># grep "UMASK" /etc/login.defs</pre> +<pre># grep -i "UMASK" /etc/login.defs</pre> All output must show the value of <tt>umask</tt> set to 077, as shown in the below: -<pre># grep "UMASK" /etc/login.defs +<pre># grep -i "UMASK" /etc/login.defs umask 077</pre> </ocil> <ident cce="26371-5" /> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index 9ff9334..ffe05c0 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -120,7 +120,7 @@ will not create it and important log messages can be lost. <description>The owner of all log files written by <tt>rsyslog</tt> should be root. These log files are determined by the second part of each Rule line in -<tt>/etc/rsyslog.conf</tt> typically all appear in <tt>/var/log</tt>. +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, run the following command to inspect the file's owner: <pre>$ ls -l <i>LOGFILE</i></pre> @@ -129,6 +129,9 @@ correct this: <pre># chown root <i>LOGFILE</i></pre> </description> <ocil clause="the owner is not root"> +The owner of all log files written by <tt>rsyslog</tt> should be root. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. To see the owner of a given log file, run the following command: <pre>$ ls -l <i>LOGFILE</i></pre> </ocil> @@ -155,6 +158,9 @@ correct this: <pre># chgrp root <i>LOGFILE</i></pre> </description> <ocil clause="the group-owner is not root"> +The group-owner of all log files written by <tt>rsyslog</tt> should be root. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. To see the group-owner of a given log file, run the following command: <pre>$ ls -l <i>LOGFILE</i></pre> </ocil> @@ -171,7 +177,7 @@ protected from unauthorized access.</rationale> <Rule id="rsyslog_file_permissions" severity="medium"> <title>Ensure System Log Files Have Correct Permissions</title> <description>The file permissions for all log files written by -rsyslog should be set to 600, or more restrictive. +<tt>rsyslog</tt> should be set to 600, or more restrictive. These log files are determined by the second part of each Rule line in <tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. For each log file <i>LOGFILE</i> referenced in <tt>/etc/rsyslog.conf</tt>, @@ -182,6 +188,10 @@ run the following command to correct this: <pre># chmod 0600 <i>LOGFILE</i></pre> </description> <ocil clause="the permissions are not correct"> +The file permissions for all log files written by <tt>rsyslog</tt> +should be set to 600, or more restrictive. +These log files are determined by the second part of each Rule line in +<tt>/etc/rsyslog.conf</tt> and typically all appear in <tt>/var/log</tt>. To see the permissions of a given log file, run the following command: <pre>$ ls -l <i>LOGFILE</i></pre> The permissions should be 600, or more restrictive. diff --git a/RHEL6/input/system/network/kernel.xml b/RHEL6/input/system/network/kernel.xml index 104cf7c..5f72ab3 100644 --- a/RHEL6/input/system/network/kernel.xml +++ b/RHEL6/input/system/network/kernel.xml @@ -21,7 +21,7 @@ of network traffic.</description> </ocil> <rationale>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is -only appropriate for routers.</rationale> +only appropriate for systems acting as routers.</rationale> <ident cce="27001-7" /> <oval id="sysctl_net_ipv4_conf_default_send_redirects" /> <ref nist="AC-4,CM-7,SC-5,SC-7" disa="1551"/> @@ -38,7 +38,7 @@ only appropriate for routers.</rationale> </ocil> <rationale>Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is -only appropriate for routers.</rationale> +only appropriate for systems acting as routers.</rationale> <ident cce="27004-1" /> <oval id="sysctl_net_ipv4_conf_all_send_redirects" /> <ref nist="CM-7" disa="1551"/> @@ -56,7 +56,7 @@ The ability to forward packets is only appropriate for routers. </ocil> <rationale>IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is -only appropriate for routers.</rationale> +only appropriate for systems acting as routers.</rationale> <ident cce="26866-4" /> <oval id="sysctl_net_ipv4_ip_forward" /> <ref nist="CM-7, SC-5" disa="366"/> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index 9a0de83..fe1d4b4 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -200,6 +200,12 @@ its permission with the following command: <pre># chmod go-w <i>FILE</i></pre> </description> <ocil clause="any of these files are group-writable or world-writable"> +Shared libraries are stored in the following directories: +<pre>/lib +/lib64 +/usr/lib +/usr/lib64 +</pre> To find shared libraries that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains shared libraries: <pre>$ find <i>DIR</i> -perm /022 -type f</pre> @@ -265,6 +271,13 @@ following command: <pre># chmod go-w <i>FILE</i></pre> </description> <ocil clause="any system executables are found to be group or world writable"> +System executables are stored in the following directories by default: +<pre>/bin +/usr/bin +/usr/local/bin +/sbin +/usr/sbin +/usr/local/sbin</pre> To find system executables that are group-writable or world-writable, run the following command for each directory <i>DIR</i> which contains system executables: <pre>$ find <i>DIR</i> -perm /022</pre> @@ -293,6 +306,13 @@ following command: <pre># chown root <i>FILE</i></pre> </description> <ocil clause="any system executables are found to not be owned by root"> +System executables are stored in the following directories by default: +<pre>/bin +/usr/bin +/usr/local/bin +/sbin +/usr/sbin +/usr/local/sbin</pre> To find system executables that are not owned by <tt>root</tt>, run the following command for each directory <i>DIR</i> which contains system executables: <pre>$ find <i>DIR</i> \! -user root</pre> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
