On 4/11/13 1:38 PM, David Smith wrote:
Signed-off-by: David Smith <[email protected]>
---
RHEL6/input/services/ftp.xml | 3 ---
RHEL6/input/system/accounts/pam.xml | 8 ++++----
2 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/RHEL6/input/services/ftp.xml b/RHEL6/input/services/ftp.xml
index dac91be..27957c8 100644
--- a/RHEL6/input/services/ftp.xml
+++ b/RHEL6/input/services/ftp.xml
@@ -159,7 +159,6 @@ If anonymous access is also required, add the anonymous usernames
to <tt>/etc/vs
ftp</pre>
</description>
<rationale>Historically, the file <tt>/etc/ftpusers</tt> contained a list of users who were not
allowed to access the system via ftp. It was used to prevent system users such as the root user from logging in via
the insecure ftp protocol. However, when the configuration option <tt>userlist deny=NO</tt> is set,
vsftpd interprets ftpusers as the set of users who are allowed to login via ftp. Since it should be possible for
most users to access their accounts via secure protocols, it is recommended that this setting be used, so that
non-anonymous ftp access can be limited to legacy users who have been explicitly identified.</rationale>
-<!--<ident cce="27115-5" />-->
<!--<oval id="ftp_limit_users" />-->
<!--<ref nist="CM-7" /> -->
</Group>
@@ -188,7 +187,6 @@ is necessary to ensure that files cannot be uploaded and
downloaded from the sam
be used to verify that this directory is on its own partition.</description>
<rationale>If there is a mission-critical reason for anonymous users to
upload files, precautions must be taken to prevent
these users from filling a disk used by other services.</rationale>
-<!--<ident cce="27115-5" />-->
<!--<oval id="ftp_home_partition" />-->
<!--<ref nist="CM-7" /> -->
</Rule>
@@ -207,7 +205,6 @@ FTP is an older protocol which is not very compatible with
firewalls. During the
and server negotiate an arbitrary port to be used for data transfer. The ip
conntrack ftp module is used by
iptables to listen to that dialogue and allow connections to the data ports
which FTP negotiates. This allows an
FTP server to operate on a machine which is running a firewall.</rationale>
-<!--<ident cce="27115-5" />-->
<!--<oval id="ftp_configure_firewall" />-->
<!--<ref nist="CM-7" /> -->
</Group>
diff --git a/RHEL6/input/system/accounts/pam.xml
b/RHEL6/input/system/accounts/pam.xml
index 2ca9e54..d523a4c 100644
--- a/RHEL6/input/system/accounts/pam.xml
+++ b/RHEL6/input/system/accounts/pam.xml
@@ -74,7 +74,7 @@ of unsuccessful attempts that were made to login to their
account
allows the user to determine if any unauthorized activity has occurred
and gives them an opportunity to notify administrators.
</rationale>
-<ident cce="TODO" />
+<ident cce="27291-4" />
<oval id="TODO" />
<ref disa="53" />
</Rule>
@@ -241,7 +241,7 @@ requires some software, such as SSH, to re-connect. This
can slow down and
draw additional attention to some types of password-guessing attacks. Note
that this
is different from account lockout, which is provided by the pam_faillock
module.
</rationale>
-<ident cce="26796-5" />
+<ident cce="27123-9" />
<oval id="accounts_password_pam_cracklib_retry"
value="var_password_pam_cracklib_retry"/>
<ref nist="IA-5" disa="1092" />
<tested by="DS" on="20121024"/>
@@ -459,7 +459,7 @@ prevents direct password guessing attacks. Ensuring that
an administrator is
involved in unlocking locked accounts draws appropriate attention to such
situations.
</rationale>
-<ident cce="3410-8" />
+<ident cce="27110-6" />
<oval id="accounts_passwords_pam_faillock_unlock_time"
value="var_accounts_passwords_pam_faillock_unlock_time"/>
<ref nist="AC-7(b)" disa="47" />
</Rule>
@@ -483,7 +483,7 @@ The output should show
<tt>fail_interval=<interval-in-seconds></tt> where
Locking out user accounts after a number of incorrect attempts within a
specific period of time prevents direct password guessing attacks.
</rationale>
-<ident cce="3410-8" />
+<ident cce="27215-3" />
<oval id="accounts_passwords_pam_fail_interval"
value="var_accounts_passwords_pam_faillock_fail_interval"/>
<ref nist="AC-7(a)" disa="1452" />
</Rule>
ack
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
