Signed-off-by: Jeffrey Blank <bl...@eclipse.ncsc.mil> --- RHEL6/input/profiles/STIG-server.xml | 13 +++++++++++++ RHEL6/input/profiles/common.xml | 8 ++++++++ 2 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/RHEL6/input/profiles/STIG-server.xml b/RHEL6/input/profiles/STIG-server.xml index b361774..e653620 100644 --- a/RHEL6/input/profiles/STIG-server.xml +++ b/RHEL6/input/profiles/STIG-server.xml @@ -3,6 +3,7 @@ <description>This profile is being developed under the DoD consensus model to become a STIG in coordination with DISA FSO.</description> <select idref="rpm_verify_permissions" selected="true"/> +<select idref="world_writeable_files" selected="true"/> <select idref="install_antivirus" selected="true"/> <select idref="install_hids" selected="true"/> @@ -12,11 +13,21 @@ <select idref="service_postfix_enabled" selected="true"/> <select idref="package_sendmail_removed" selected="true"/> +<select idref="service_netconsole_disabled" selected="true"/> + <select idref="disable_xwindows_with_runlevel" selected="true"/> <select idref="packagegroup_xwindows_remove" selected="true"/> <select idref="disable_dhcp_client" selected="true"/> <select idref="limiting_password_reuse" selected="true"/> + +<select idref="gid_passwd_group_same" selected="true"/> +<select idref="account_unique_name" selected="true"/> + +<select idref="password_require_consecrepeat" selected="true"/> + <select idref="no_files_unowned_by_user" selected="true"/> +<select idref="no_files_unowned_by_group" selected="true"/> + <select idref="aide_periodic_cron_checking" selected="true"/> <select idref="disable_users_coredumps" selected="true"/> <select idref="no_insecure_locks_exports" selected="true" /> @@ -50,6 +61,8 @@ <select idref="user_umask_cshrc" selected="true" /> <select idref="user_umask_profile" selected="true" /> <select idref="user_umask_logindefs" selected="true" /> + + <refine-value idref="user_umask_value" selector="077"/> diff --git a/RHEL6/input/profiles/common.xml b/RHEL6/input/profiles/common.xml index d240dbd..914ca76 100644 --- a/RHEL6/input/profiles/common.xml +++ b/RHEL6/input/profiles/common.xml @@ -36,11 +36,16 @@ <select idref="groupowner_passwd_file" selected="true"/> <select idref="file_permissions_etc_passwd" selected="true"/> +<select idref="userowner_group_file" selected="true" /> +<select idref="groupowner_group_file" selected="true" /> +<select idref="perms_group_file" selected="true" /> + <select idref="file_permissions_library_dirs" selected="true"/> <select idref="file_ownership_library_dirs" selected="true"/> <select idref="file_permissions_binary_dirs" selected="true"/> <select idref="file_ownership_binary_dirs" selected="true"/> +<select idref="audit_logs_permissions" selected="true"/> <select idref="password_min_len" selected="true"/> <select idref="password_min_age" selected="true"/> @@ -78,6 +83,7 @@ <select idref="set_sysctl_net_ipv4_conf_all_log_martians" selected="true"/> <select idref="set_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/> <select idref="set_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/> +<select idref="set_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/> <select idref="set_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/> <select idref="set_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/> <select idref="set_sysctl_net_ipv4_tcp_syncookies" selected="true"/> @@ -203,6 +209,8 @@ these should likely be moved out of common. <select idref="use_nodev_option_on_nfs_mounts" selected="true"/> <select idref="use_nosuid_option_on_nfs_mounts" selected="true"/> +<select idref="mountopt_noexec_on_removable_partitions" selected="true"/> + <!-- <select idref="disable_dns_server" selected="true"/> --> <!-- <select idref="uninstall_bind" selected="true"/> --> <!-- <select idref="disable_vsftpd" selected="true"/> --> -- 1.7.1 _______________________________________________ scap-security-guide mailing list scap-security-guide@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
