>From 76a0a21fc9e537865bd9141cd6d8f66d01fa2bf3 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Sun, 15 Sep 2013 19:43:54 -0400 Subject: [PATCH 18/22] Added remediation for umask_for_daemons - OVAL/XCCDF namings - Added remediation script
--- RHEL6/input/fixes/bash/umask_for_daemons.sh | 8 ++++++++ RHEL6/input/profiles/CS2.xml | 2 +- RHEL6/input/profiles/fisma-medium-rhel6-server.xml | 2 +- RHEL6/input/profiles/nist-CL-IL-AL.xml | 2 +- RHEL6/input/profiles/stig-rhel6-server.xml | 2 +- RHEL6/input/profiles/test.xml | 2 +- RHEL6/input/profiles/usgcb-rhel6-server.xml | 2 +- RHEL6/input/system/permissions/execution.xml | 2 +- 8 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 RHEL6/input/fixes/bash/umask_for_daemons.sh diff --git a/RHEL6/input/fixes/bash/umask_for_daemons.sh b/RHEL6/input/fixes/bash/umask_for_daemons.sh new file mode 100644 index 0000000..bce47aa --- /dev/null +++ b/RHEL6/input/fixes/bash/umask_for_daemons.sh @@ -0,0 +1,8 @@ +source ./templates/support.sh +populate var_umask_for_daemons + +grep -q ^umask /etc/init.d/functions && \ + sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions +if ! [ $? -eq 0 ]; then + echo "umask $var_umask_for_daemons" >> /etc/init.d/functions +fi diff --git a/RHEL6/input/profiles/CS2.xml b/RHEL6/input/profiles/CS2.xml index 57651e7..9e703fc 100644 --- a/RHEL6/input/profiles/CS2.xml +++ b/RHEL6/input/profiles/CS2.xml @@ -66,7 +66,7 @@ <select idref="no_files_unowned_by_group" selected="true" /> <select idref="world_writable_files_system_ownership" selected="true" /> -<select idref="set_daemon_umask" selected="true" /> +<select idref="umask_for_daemons" selected="true" /> <refine-value idref="var_umask_for_daemons" selector="027"/> <select idref="disable_users_coredumps" selected="true"/> diff --git a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml index afe5f47..18911ad 100644 --- a/RHEL6/input/profiles/fisma-medium-rhel6-server.xml +++ b/RHEL6/input/profiles/fisma-medium-rhel6-server.xml @@ -38,7 +38,7 @@ <!-- AC-6 --> <refine-value idref="var_umask_for_daemons" selector="022"/> <select idref="sshd_disable_root_login" selected="true" /> -<select idref="set_daemon_umask" selected="true" /> +<select idref="umask_for_daemons" selected="true" /> <select idref="userowner_shadow_file" selected="true" /> <select idref="groupowner_shadow_file" selected="true" /> <select idref="perms_shadow_file" selected="true"/> diff --git a/RHEL6/input/profiles/nist-CL-IL-AL.xml b/RHEL6/input/profiles/nist-CL-IL-AL.xml index 28e65dc..bb920f6 100644 --- a/RHEL6/input/profiles/nist-CL-IL-AL.xml +++ b/RHEL6/input/profiles/nist-CL-IL-AL.xml @@ -155,7 +155,7 @@ assurance."</description> <select idref="no_files_unowned_by_user" selected="true" \> <select idref="no_files_unowned_by_group" selected="true" \> <select idref="world_writable_files_system_ownership" selected="true" \> -<select idref="set_daemon_umask" selected="true" \> +<select idref="umask_for_daemons" selected="true" \> <select idref="no_uidzero_except_root" selected="true" \> <select idref="userowner_rsyslog_files" selected="true" \> <select idref="groupowner_rsyslog_files" selected="true" \> diff --git a/RHEL6/input/profiles/stig-rhel6-server.xml b/RHEL6/input/profiles/stig-rhel6-server.xml index 2e95ec9..62aafe6 100644 --- a/RHEL6/input/profiles/stig-rhel6-server.xml +++ b/RHEL6/input/profiles/stig-rhel6-server.xml @@ -70,7 +70,7 @@ <select idref="user_umask_logindefs" selected="true" /> <refine-value idref="var_accounts_user_umask" selector="077" /> -<select idref="set_daemon_umask" selected="true" /> +<select idref="umask_for_daemons" selected="true" /> <refine-value idref="var_umask_for_daemons" selector="027"/> diff --git a/RHEL6/input/profiles/test.xml b/RHEL6/input/profiles/test.xml index a729046..f460ebb 100644 --- a/RHEL6/input/profiles/test.xml +++ b/RHEL6/input/profiles/test.xml @@ -49,7 +49,7 @@ <select idref="user_umask_logindefs" selected="true" /> <refine-value idref="var_accounts_user_umask" selector="077" /> -<select idref="set_daemon_umask" selected="true"/> +<select idref="umask_for_daemons" selected="true"/> <refine-value idref="var_umask_for_daemons" selector="027"/> diff --git a/RHEL6/input/profiles/usgcb-rhel6-server.xml b/RHEL6/input/profiles/usgcb-rhel6-server.xml index 246931c..bdd5c08 100644 --- a/RHEL6/input/profiles/usgcb-rhel6-server.xml +++ b/RHEL6/input/profiles/usgcb-rhel6-server.xml @@ -55,7 +55,7 @@ <select idref="no_files_unowned_by_group" selected="true" /> <select idref="world_writable_files_system_ownership" selected="true" /> <refine-value idref="var_umask_for_daemons" selector="027"/> -<select idref="set_daemon_umask" selected="true" /> +<select idref="umask_for_daemons" selected="true" /> <select idref="disable_setuid_coredumps" selected="true" /> <select idref="disable_users_coredumps" selected="true" /> <select idref="enable_randomize_va_space" selected="true" /> diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index 0e2fb5d..e15f7ff 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -23,7 +23,7 @@ for system daemons. <value selector="027">027</value> </Value> -<Rule id="set_daemon_umask"> +<Rule id="umask_for_daemons"> <title>Set Daemon Umask</title> <description>The file <tt>/etc/init.d/functions</tt> includes initialization parameters for most or all daemons started at boot time. The default umask of -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
