For SSGID Enable ExecShield - (CCE-27007-4), with either the stig-rhel6-server or usgcb-rhel6-server profiles selected from the SCAP stream, when run with SCC 3.1.1.1, may produce a false-positive on a RHEL6V1R2 complaint machine.. The SSG is checking the Kernel Runtime Parameter kernel.exec-shield by identifying the value pair kernel.exec-shield = 1 in '/etc/sysctl.conf' Runtime state vice the configuration: (1) query kernel parameter (2) if not set, query /etc/sysctl.conf The DISA STIG first queries the kernel parameter by sysctl kernel.exec-shield ( /proc/sys/kernel/exec-shield) If not set, then update sysctl.conf For example, exec-sheild is enabled by default: /bin/cat /proc/sys/kernel/exec-shield 1 In this case, /bin/echo -e "\n# Exec-Sheild\nkernel.exec-shield = 1" >> /etc/sysctl.conf is not required for compliance. The check should verify running state, not optional configuration possibly by way of: sysctl kernel.exec-shield or `cat` as listed above. Weather to verify the runtime state, configuration, or both is a common theme that we have seen in content/tool review.
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
