On 2/4/13 3:15 PM, Mike Palmiotto wrote:
On 2/4/2013 1:11 PM, Philip Shuman wrote:
I nuked by git repo, recloned, and am still having the same problem.
The docs
have /bin/true but the check is for /bin/false.
Looks like the check is defined here:
input/checks/kernel_module_dccp_disabled.xml:
<ind:pattern operation="pattern
match">^\s*install\s+dccp\s+/bin/false$</ind:pattern>
And the documentation is driven by this macro:
scap-security-guide/RHEL6/ transforms/shorthand2xccdf.xslt:
<xsl:template match="module-disable-macro">
To configure the system to prevent the <xhtml:code><xsl:value-of
select="@module"/></xhtml:code>
kernel module from being loaded, add the following line to a file in the
directory <xhtml:code>/etc/modprobe.d</xhtml:code>:
<xhtml:pre xml:space="preserve">install <xsl:value-of select="@module"/>
/bin/true</xhtml:pre>
</xsl:template>
Yeah the git history makes it seem as if the bugfix has not yet been
pushed (https://fedorahosted.org/scap-security-guide/log/)
Did the push now, and also updated my people.redhat.com site for those
which follow it.
Looks like we caught them all:
[shawn@rhel6 input]$ grep -rin "bin\/true" *
(no return)
Thanks for cleaning up my mess though, Shawn.
Please, you did the heavy lifting via updating the OVAL stuff. It'd be a
crummy community if we didn't help each other out!
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
