Classification: UNCLASSIFIED Caveats: NONE Yes, I'll work on this; it has been too long since I submitted something! I'll look into the NTP one as well, though this should be easier. Thanks for knocking out the rsyslog one.
-- Ray Shaw Contractor, STG Unix support, Army Research Labs > -----Original Message----- > From: [email protected] [mailto:scap- > [email protected]] On Behalf Of Shawn Wells > Sent: Friday, October 25, 2013 9:32 PM > To: [email protected] > Subject: Re: CCE-26801-1 - rsyslog suggestion/question (UNCLASSIFIED) > > On 10/25/13, 9:02 PM, Shawn Wells wrote: > > On 10/25/13, 8:25 AM, Shaw, Ray V CTR USARMY ARL (US) wrote: > >> Classification: UNCLASSIFIED > >> Caveats: NONE > >> > >> There's more than one instance of things like this (e.g. > >> /etc/security/limits.d versus limits.conf), and this applies to us > >> too. I'd like both to be valid; when possible, we prefer to > >> configuration-manage a small, unique file in a foo.d directory than > >> make changes to existing config files. I'm not certain how best to > >> do this in OVAL; write a check for each location, with a condition > of > >> "at least one of these must be true"? > > > > Good find. Just submitted a patch to address this, pending ack will > be > > picked up in next build: > > https://lists.fedorahosted.org/pipermail/scap-security-guide/2013- > October/004387.html > > > > > > Ray - Perhaps you could use this as a template for limits.conf vs > > limits.d? > > OK, patch got ack'd, it'll show up if you 'git pull'. Think you could > use it as a template? :) > > > > > > >>> -----Original Message----- > >>> From: [email protected] > [mailto:scap- > >>> [email protected]] On Behalf Of wm- > lists > >>> Sent: Friday, October 25, 2013 7:47 AM > >>> To: [email protected] > >>> Subject: CCE-26801-1 - rsyslog suggestion/question > >>> > >>> It appears the requirement check /etc/rsyslog.conf for an entry > such as > >>> > >>> *.* @loghost.example.com <http://loghost.example.com/> > >>> or > >>> > >>> > >>> *.* @@loghost.example.com <http://loghost.example.com/> > >>> > >>> <ind:textfilecontent54_object id="oval:ssg:obj:1907" > version="1"> > >>> <ind:path>/etc</ind:path> > >>> <ind:filename>rsyslog.conf</ind:filename> > >>> <ind:pattern operation="pattern > >>> match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern> > >>> <ind:instance datatype="int">1</ind:instance> > >>> </ind:textfilecontent54_object> > >>> > >>> > >>> However in my case, we utilize multiple .conf files under > >>> /etc/rsyslog.d for destinations (log aggregators, etc...) > >>> > >>> I'm guessing the scap software doesn't follow include Directives? > > > > _______________________________________________ > > scap-security-guide mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > > -- > Shawn Wells > Director, Innovation Programs > [email protected] | 443.534.0130 > @shawndwells > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide Classification: UNCLASSIFIED Caveats: NONE _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
