Signed-off-by: David Smith <[email protected]> --- RHEL6/input/services/ftp.xml | 3 --- RHEL6/input/system/accounts/pam.xml | 8 ++++---- 2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml index dac91be..27957c8 100644 --- a/RHEL6/input/services/ftp.xml +++ b/RHEL6/input/services/ftp.xml @@ -159,7 +159,6 @@ If anonymous access is also required, add the anonymous usernames to <tt>/etc/vs ftp</pre> </description> <rationale>Historically, the file <tt>/etc/ftpusers</tt> contained a list of users who were not allowed to access the system via ftp. It was used to prevent system users such as the root user from logging in via the insecure ftp protocol. However, when the configuration option <tt>userlist deny=NO</tt> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via ftp. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous ftp access can be limited to legacy users who have been explicitly identified.</rationale> -<!--<ident cce="27115-5" />--> <!--<oval id="ftp_limit_users" />--> <!--<ref nist="CM-7" /> --> </Group> @@ -188,7 +187,6 @@ is necessary to ensure that files cannot be uploaded and downloaded from the sam be used to verify that this directory is on its own partition.</description> <rationale>If there is a mission-critical reason for anonymous users to upload files, precautions must be taken to prevent these users from filling a disk used by other services.</rationale> -<!--<ident cce="27115-5" />--> <!--<oval id="ftp_home_partition" />--> <!--<ref nist="CM-7" /> --> </Rule> @@ -207,7 +205,6 @@ FTP is an older protocol which is not very compatible with firewalls. During the and server negotiate an arbitrary port to be used for data transfer. The ip conntrack ftp module is used by iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an FTP server to operate on a machine which is running a firewall.</rationale> -<!--<ident cce="27115-5" />--> <!--<oval id="ftp_configure_firewall" />--> <!--<ref nist="CM-7" /> --> </Group> diff --git a/RHEL6/input/system/accounts/pam.xml b/RHEL6/input/system/accounts/pam.xml index 2ca9e54..d523a4c 100644 --- a/RHEL6/input/system/accounts/pam.xml +++ b/RHEL6/input/system/accounts/pam.xml @@ -74,7 +74,7 @@ of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators. </rationale> -<ident cce="TODO" /> +<ident cce="27291-4" /> <oval id="TODO" /> <ref disa="53" /> </Rule> @@ -241,7 +241,7 @@ requires some software, such as SSH, to re-connect. This can slow down and draw additional attention to some types of password-guessing attacks. Note that this is different from account lockout, which is provided by the pam_faillock module. </rationale> -<ident cce="26796-5" /> +<ident cce="27123-9" /> <oval id="accounts_password_pam_cracklib_retry" value="var_password_pam_cracklib_retry"/> <ref nist="IA-5" disa="1092" /> <tested by="DS" on="20121024"/> @@ -459,7 +459,7 @@ prevents direct password guessing attacks. Ensuring that an administrator is involved in unlocking locked accounts draws appropriate attention to such situations. </rationale> -<ident cce="3410-8" /> +<ident cce="27110-6" /> <oval id="accounts_passwords_pam_faillock_unlock_time" value="var_accounts_passwords_pam_faillock_unlock_time"/> <ref nist="AC-7(b)" disa="47" /> </Rule> @@ -483,7 +483,7 @@ The output should show <tt>fail_interval=<interval-in-seconds></tt> where Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks. </rationale> -<ident cce="3410-8" /> +<ident cce="27215-3" /> <oval id="accounts_passwords_pam_fail_interval" value="var_accounts_passwords_pam_faillock_fail_interval"/> <ref nist="AC-7(a)" disa="1452" /> </Rule> -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
