Classification: UNCLASSIFIED Caveats: FOUO Yeah, you've got me on that. I can make a test vm of the rhel7 and see if that will block or cause issues. My scripts just do 'sed -I 's@^vc@@g' /etc/securetty So that wouldn't affect that. Interesting. Will check that out.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Albrecht, Thomas C Sent: Wednesday, February 25, 2015 9:28 AM To: '[email protected]' Subject: securetty and hypervisor virtual consoles (hvc) All, I'm having trouble determining whether to send these questions to this list or the gov-sec list. If anyone has advice, please share it with me. That said, I'm working on updating my lockdown scripts for RHEL7 to meet the spirit of the law manifested in the RHEL6 STIG. One of the requirements in the RHEL6 STIG is that "The system must prevent the root account from logging in from virtual consoles." (Rule ID: SV-50293r1_rule) Their solution is to remove all lines that start with "vc" from /etc/securetty. RHEL7 has introduced their hypervisor virtual consoles as "hvc". Not being as familiar with the hypervisor technology as I probably should be, is there a consensus for whether the requirement necessitates removing those lines from securetty as well? Thanks! Tom Albrecht -- Tom Albrecht III, CISSP-ISSEP, GPEN Information Assurance Engineer Staff Cyber & Security Solutions Team (CaS2T) Lockheed Martin Corporation, IS&GS [email protected] <mailto:[email protected]> (m) 484-798-0109 (w) 610-354-7424 Classification: UNCLASSIFIED Caveats: FOUO
smime.p7s
Description: S/MIME cryptographic signature
-- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
