Signed-off-by: David Smith <[email protected]> --- RHEL6/input/services/obsolete.xml | 10 ++++++++-- RHEL6/input/system/accounts/physical.xml | 7 ++++++- RHEL6/input/system/network/iptables.xml | 10 ++++++++-- RHEL6/input/system/network/ipv6.xml | 2 ++ RHEL6/input/system/permissions/files.xml | 2 +- RHEL6/input/system/software/disk_partitioning.xml | 10 +++++----- 6 files changed, 30 insertions(+), 11 deletions(-)
diff --git a/RHEL6/input/services/obsolete.xml b/RHEL6/input/services/obsolete.xml index cceb0e0..0a51c23 100644 --- a/RHEL6/input/services/obsolete.xml +++ b/RHEL6/input/services/obsolete.xml @@ -29,7 +29,10 @@ is not even available as part of RHEL 6.</description> <description> <service-disable-macro service="xinetd" /> </description> -<ocil><service-disable-check-macro service="xinetd" /></ocil> +<ocil> +If network services are using the xinetd service, this is not applicable. +<br /><br /> +<service-disable-check-macro service="xinetd" /></ocil> <rationale> The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling @@ -47,7 +50,10 @@ attacks against xinetd itself. <description>The <tt>xinetd</tt> package can be uninstalled with the following command: <pre># yum erase xinetd</pre> </description> -<ocil><package-check-macro package="xinetd" /> </ocil> +<ocil> +If network services are using the xinetd service, this is not applicable. +<br /><br /> +<package-check-macro package="xinetd" /> </ocil> <rationale> Removing the <tt>xinetd</tt> package decreases the risk of the xinetd service's accidental (or intentional) activation. diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 9d56713..4da9a73 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -63,7 +63,12 @@ file should not have any access privileges anyway. is the default. <fileperms-desc-macro file="/boot/grub/grub.conf" perms="600"/> </description> -<ocil><fileperms-check-macro file="/boot/grub/grub.conf" perms="-rw-------"/></ocil> +<ocil clause ="it does not"> +To check the permissions of /etc/grub.conf, run the command: +<pre># ls -lL /etc/grub.conf</pre> +If properly configured, the output should indicate the following +permissions: <tt>-rw-------</tt> +</ocil> <rationale> Proper permissions ensure that only the root user can modify important boot parameters. diff --git a/RHEL6/input/system/network/iptables.xml b/RHEL6/input/system/network/iptables.xml index 46b49ff..bd15fdf 100644 --- a/RHEL6/input/system/network/iptables.xml +++ b/RHEL6/input/system/network/iptables.xml @@ -53,7 +53,10 @@ The <tt>ip6tables</tt> default rules are essentially the same.</description> <description> <service-enable-macro service="ip6tables" /> </description> -<ocil><service-enable-check-macro service="ip6tables" /></ocil> +<ocil> +If IPv6 is disabled, this is not applicable. +<br /><br /> +<service-enable-check-macro service="ip6tables" /></ocil> <rationale>The <tt>ip6tables</tt> service provides the system's host-based firewalling capability for IPv6 and ICMPv6. </rationale> @@ -71,7 +74,10 @@ add or correct the following line in <tt>/etc/sysconfig/ip6tables</tt>: <pre>:INPUT DROP [0:0]</pre> </description> -<ocil clause="the default policy for the INPUT chain is not set to DROP">Inspect the file <tt>/etc/sysconfig/ip6tables</tt> to determine +<ocil clause="the default policy for the INPUT chain is not set to DROP"> +If IPv6 is disabled, this is not applicable. +<br /><br /> +Inspect the file <tt>/etc/sysconfig/ip6tables</tt> to determine the default policy for the INPUT chain. It should be set to DROP: <pre> # grep ":INPUT" /etc/sysconfig/ip6tables</pre> </ocil> diff --git a/RHEL6/input/system/network/ipv6.xml b/RHEL6/input/system/network/ipv6.xml index aa53d82..a481269 100644 --- a/RHEL6/input/system/network/ipv6.xml +++ b/RHEL6/input/system/network/ipv6.xml @@ -27,6 +27,8 @@ This permits the IPv6 module to be loaded (and thus satisfy other modules that depend on it), while disabling support for the IPv6 protocol. </description> <ocil clause="the ipv6 kernel module is loaded"> +If the system uses IPv6, this is not applicable. +<br /><br /> If the system is configured to prevent the loading of the <tt>ipv6</tt> kernel module, it will contain a line of the form: diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index fe1d4b4..6a9c707 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -244,7 +244,7 @@ Shared libraries are stored in the following directories: </pre> For each of these directories, run the following command to find files not owned by root: -<pre>$ find <i>DIR</i> \! -user root</pre> +<pre>$ find <i>DIR</i> \! -user root -type f</pre> </ocil> <rationale>Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at diff --git a/RHEL6/input/system/software/disk_partitioning.xml b/RHEL6/input/system/software/disk_partitioning.xml index 1c33aff..c674447 100644 --- a/RHEL6/input/system/software/disk_partitioning.xml +++ b/RHEL6/input/system/software/disk_partitioning.xml @@ -31,7 +31,7 @@ The <tt>/tmp</tt> directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM. </description> -<ocil><partition-check-macro part="/tmp"/></ocil> +<ocil><partition-check-macro part="/tmp "/></ocil> <rationale> The <tt>/tmp</tt> partition is used as temporary storage by many programs. Placing <tt>/tmp</tt> in its own partition enables the setting of more @@ -49,7 +49,7 @@ restrictive mount options, which can help protect programs which use it. services to store frequently-changing data. Ensure that <tt>/var</tt> has its own partition or logical volume at installation time, or migrate it using LVM. </description> -<ocil><partition-check-macro part="/var"/></ocil> +<ocil><partition-check-macro part="/var "/></ocil> <rationale> Ensuring that <tt>/var</tt> is mounted on its own partition enables the setting of more restrictive mount options. This helps protect @@ -70,7 +70,7 @@ System logs are stored in the <tt>/var/log</tt> directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM. </description> -<ocil><partition-check-macro part="/var/log"/></ocil> +<ocil><partition-check-macro part="/var/log "/></ocil> <rationale> Placing <tt>/var/log</tt> in its own partition enables better separation between log files @@ -90,7 +90,7 @@ has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon. </description> -<ocil><partition-check-macro part="/var/log/audit"/></ocil> +<ocil><partition-check-macro part="/var/log/audit "/></ocil> <rationale> Placing <tt>/var/log/audit</tt> in its own partition enables better separation between audit files @@ -113,7 +113,7 @@ for <tt>/home</tt> at installation time (or migrate it later using LVM). If creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later. </description> -<ocil><partition-check-macro part="/home"/></ocil> +<ocil><partition-check-macro part="/home "/></ocil> <rationale> Ensuring that <tt>/home</tt> is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that -- 1.7.1 _______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
