On 2/19/13 6:13 PM, Robert Sanders wrote:
Afternoon folks,
I'd like to get some feedback on GEN001780. Asked DISA about this in a
direct email some time ago and never heard anything back.
We had a customer having *major* problems with cronjobs after implementing
this STIG. Lots of messages showing up in the logs about:
Bad item passed to pam_*_item()
pam_env(crond:setcred): pam_putenv: delete non-existent entry; mesg n
Back tracked finally to having 'mesg n' in /etc/environment.
So my questions:
1) Is this line item looking for *at least* of the listed files, or all files,
to contain 'mesg n'?
2) The SCC tool seems to be looking for at a different set of files than the
manual-xccdf document. Which is correct?
Manual doc - /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/csh.logout
/etc/environment /etc/ksh.kshrc /etc/profile /etc/suid_profile /etc/profile.d/*
SCC - /etc/bashrc /etc/profile /etc/environment /etc/security/environ
/etc/.login /etc/profile.d/*
3) Why is /etc/environment on this list? The pam_env.so module will process this file
expecting to find "name=val" pairs, of which 'mesg n' isn't, so it barfs and
this seems to upset the apple cart.
4) Why is /etc/security/environ in this list? I thought that was an AIX
specific file, not Linux?
I'm posting this to another mailing list also, so folks may see it twice.
(properly answered on the gov-sec mailing list)
In short: This rule is antiquated and removed from the RHEL6 STIG. In
RHEL5 you're only required to pick ONE of the files, not all.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
