Making /var/tmp a bind mount to /tmp seems like a really bad idea. Why do it?
On Tue, Sep 10, 2013 at 12:57 PM, David Smith <[email protected]>wrote: > until now -- ack! > > > On Tue, Sep 10, 2013 at 12:55 PM, Maura Dailey <[email protected]>wrote: > >> No one's ACKED these. >> >> - Maura Dailey >> >> On 08/30/2013 01:41 PM, Maura Dailey wrote: >> >>> Added test checks for set of partition checks. >>> >>> Signed-off-by: Maura Dailey <[email protected]> >>> --- >>> RHEL6/input/checks/partition_**for_home.xml | 18 >>> ++++++++++-------- >>> RHEL6/input/checks/partition_**for_tmp.xml | 14 >>> ++++++++------ >>> RHEL6/input/checks/partition_**for_var.xml | 18 >>> ++++++++++-------- >>> RHEL6/input/checks/partition_**for_var_log.xml | 12 >>> +++++++----- >>> RHEL6/input/checks/partition_**for_var_log_audit.xml | 18 >>> +++++++++++------- >>> 5 files changed, 46 insertions(+), 34 deletions(-) >>> >>> diff --git a/RHEL6/input/checks/**partition_for_home.xml >>> b/RHEL6/input/checks/**partition_for_home.xml >>> index b784316..2081d18 100644 >>> --- a/RHEL6/input/checks/**partition_for_home.xml >>> +++ b/RHEL6/input/checks/**partition_for_home.xml >>> @@ -5,20 +5,22 @@ >>> <affected family="unix"> >>> <platform>Red Hat Enterprise Linux 6</platform> >>> </affected> >>> - <description>If user home directories will be stored locally, >>> - create a separate partition for /home. If /home will be mounted >>> - from another system such as an NFS server, then creating a >>> separate >>> - partition is not necessary at this time, and the mountpoint can >>> - instead be configured later.</description> >>> + <description>If user home directories will be stored locally, >>> create a >>> + separate partition for /home. If /home will be mounted from >>> another >>> + system such as an NFS server, then creating a separate partition >>> is not >>> + necessary at this time, and the mountpoint can instead be >>> configured >>> + later.</description> >>> + <reference source="MED" ref_id="20130830" >>> ref_url="test_attestation" /> >>> </metadata> >>> <criteria> >>> <criterion test_ref="test_home_partition" comment="/home on own >>> partition" /> >>> </criteria> >>> </definition> >>> - <linux:partition_test check="all" check_existence="all_exist" >>> id="test_home_partition" version="1" comment="/home on own partition"> >>> - <linux:object object_ref="object_mount_home_**own_partition" /> >>> + <linux:partition_test check="all" check_existence="all_exist" >>> + id="test_home_partition" version="1" comment="/home on own partition"> >>> + <linux:object object_ref="object_mount_home_**own_partition" /> >>> </linux:partition_test> >>> <linux:partition_object id="object_mount_home_own_**partition" >>> version="1"> >>> - <linux:mount_point>/home</**linux:mount_point> >>> + <linux:mount_point>/home</**linux:mount_point> >>> </linux:partition_object> >>> </def-group> >>> diff --git a/RHEL6/input/checks/**partition_for_tmp.xml >>> b/RHEL6/input/checks/**partition_for_tmp.xml >>> index de93ee9..9c28c13 100644 >>> --- a/RHEL6/input/checks/**partition_for_tmp.xml >>> +++ b/RHEL6/input/checks/**partition_for_tmp.xml >>> @@ -5,18 +5,20 @@ >>> <affected family="unix"> >>> <platform>Red Hat Enterprise Linux 6</platform> >>> </affected> >>> - <description>The /tmp directory is a world-writable directory >>> - used for temporary file storage. Verify that it has its own >>> - partition or logical volume.</description> >>> + <description>The /tmp directory is a world-writable directory >>> used for >>> + temporary file storage. Verify that it has its own partition or >>> logical >>> + volume.</description> >>> + <reference source="MED" ref_id="20130830" >>> ref_url="test_attestation" /> >>> </metadata> >>> <criteria> >>> <criterion test_ref="test_tmp_partition" comment="/tmp on own >>> partition" /> >>> </criteria> >>> </definition> >>> - <linux:partition_test check="all" check_existence="all_exist" >>> id="test_tmp_partition" version="1" comment="/tmp on own partition"> >>> - <linux:object object_ref="object_own_tmp_**partition" /> >>> + <linux:partition_test check="all" check_existence="all_exist" >>> + id="test_tmp_partition" version="1" comment="/tmp on own partition"> >>> + <linux:object object_ref="object_own_tmp_**partition" /> >>> </linux:partition_test> >>> <linux:partition_object id="object_own_tmp_partition" version="1"> >>> - <linux:mount_point>/tmp</**linux:mount_point> >>> + <linux:mount_point>/tmp</**linux:mount_point> >>> </linux:partition_object> >>> </def-group> >>> diff --git a/RHEL6/input/checks/**partition_for_var.xml >>> b/RHEL6/input/checks/**partition_for_var.xml >>> index 58089ab..2ed1d38 100644 >>> --- a/RHEL6/input/checks/**partition_for_var.xml >>> +++ b/RHEL6/input/checks/**partition_for_var.xml >>> @@ -5,20 +5,22 @@ >>> <affected family="unix"> >>> <platform>Red Hat Enterprise Linux 6</platform> >>> </affected> >>> - <description>Ensuring that /var is mounted on its own partition >>> enables the >>> - setting of more restrictive mount options, which is used as >>> temporary >>> - storage by many program, particularly system services such as >>> daemons. >>> - It is not uncommon for the /var directory to contain >>> world-writable directories, >>> - installed by other software packages.</description> >>> + <description>Ensuring that /var is mounted on its own partition >>> enables >>> + the setting of more restrictive mount options, which is used as >>> temporary >>> + storage by many program, particularly system services such as >>> daemons. It >>> + is not uncommon for the /var directory to contain world-writable >>> + directories, installed by other software packages.</description> >>> + <reference source="MED" ref_id="20130830" >>> ref_url="test_attestation" /> >>> </metadata> >>> <criteria> >>> <criterion test_ref="test_var_partition" comment="/var on own >>> partition" /> >>> </criteria> >>> </definition> >>> - <linux:partition_test check="all" check_existence="all_exist" >>> id="test_var_partition" version="1" comment="/var on own partition"> >>> - <linux:object object_ref="object_mount_var_**own_partition" /> >>> + <linux:partition_test check="all" check_existence="all_exist" >>> + id="test_var_partition" version="1" comment="/var on own partition"> >>> + <linux:object object_ref="object_mount_var_**own_partition" /> >>> </linux:partition_test> >>> <linux:partition_object id="object_mount_var_own_**partition" >>> version="1"> >>> - <linux:mount_point>/var</**linux:mount_point> >>> + <linux:mount_point>/var</**linux:mount_point> >>> </linux:partition_object> >>> </def-group> >>> diff --git a/RHEL6/input/checks/**partition_for_var_log.xml >>> b/RHEL6/input/checks/**partition_for_var_log.xml >>> index 8a8a6f4..94d235b 100644 >>> --- a/RHEL6/input/checks/**partition_for_var_log.xml >>> +++ b/RHEL6/input/checks/**partition_for_var_log.xml >>> @@ -5,17 +5,19 @@ >>> <affected family="unix"> >>> <platform>Red Hat Enterprise Linux 6</platform> >>> </affected> >>> - <description>System logs are stored in the /var/log directory. >>> - Ensure that it has its own partition or logical >>> volume.</description> >>> + <description>System logs are stored in the /var/log directory. >>> Ensure >>> + that it has its own partition or logical volume.</description> >>> + <reference source="MED" ref_id="20130830" >>> ref_url="test_attestation" /> >>> </metadata> >>> <criteria> >>> <criterion test_ref="test_var_log_**partition" >>> comment="/var/log on own partition" /> >>> </criteria> >>> </definition> >>> - <linux:partition_test check="all" check_existence="all_exist" >>> id="test_var_log_partition" version="1" comment="/var/log on own partition"> >>> - <linux:object object_ref="object_mount_var_**log_own_partition" >>> /> >>> + <linux:partition_test check="all" check_existence="all_exist" >>> + id="test_var_log_partition" version="1" comment="/var/log on own >>> partition"> >>> + <linux:object object_ref="object_mount_var_**log_own_partition" /> >>> </linux:partition_test> >>> <linux:partition_object id="object_mount_var_log_own_**partition" >>> version="1"> >>> - <linux:mount_point>/var/log</**linux:mount_point> >>> + <linux:mount_point>/var/log</**linux:mount_point> >>> </linux:partition_object> >>> </def-group> >>> diff --git a/RHEL6/input/checks/**partition_for_var_log_audit.**xml >>> b/RHEL6/input/checks/**partition_for_var_log_audit.**xml >>> index e88ceba..b7a7d68 100644 >>> --- a/RHEL6/input/checks/**partition_for_var_log_audit.**xml >>> +++ b/RHEL6/input/checks/**partition_for_var_log_audit.**xml >>> @@ -6,18 +6,22 @@ >>> <platform>Red Hat Enterprise Linux 6</platform> >>> </affected> >>> <description>Audit logs are stored in the /var/log/audit >>> directory. >>> - Ensure that it has its own partition or logical volume. Make >>> - absolutely certain that it is large enough to store all audit logs >>> - that will be created by the auditing daemon.</description> >>> + Ensure that it has its own partition or logical volume. Make >>> absolutely >>> + certain that it is large enough to store all audit logs that will >>> be >>> + created by the auditing daemon.</description> >>> + <reference source="MED" ref_id="20130830" >>> ref_url="test_attestation" /> >>> </metadata> >>> <criteria> >>> <criterion test_ref="test_var_log_audit_**partition" >>> comment="/var/log/audit on own partition" /> >>> </criteria> >>> </definition> >>> - <linux:partition_test check="all" check_existence="all_exist" >>> id="test_var_log_audit_**partition" version="1" comment="check for >>> /var/log/audit partition"> >>> - <linux:object object_ref="object_mount_var_**log_audit_own_partition" >>> /> >>> + <linux:partition_test check="all" check_existence="all_exist" >>> + id="test_var_log_audit_**partition" version="1" >>> + comment="check for /var/log/audit partition"> >>> + <linux:object object_ref="object_mount_var_**log_audit_own_partition" >>> /> >>> </linux:partition_test> >>> - <linux:partition_object id="object_mount_var_log_**audit_own_partition" >>> version="1"> >>> - <linux:mount_point>/var/log/**audit</linux:mount_point> >>> + <linux:partition_object id="object_mount_var_log_** >>> audit_own_partition" >>> + version="1"> >>> + <linux:mount_point>/var/log/**audit</linux:mount_point> >>> </linux:partition_object> >>> </def-group> >>> >> >> ______________________________**_________________ >> scap-security-guide mailing list >> scap-security-guide@lists.**fedorahosted.org<[email protected]> >> https://lists.fedorahosted.**org/mailman/listinfo/scap-**security-guide<https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide> >> > > > _______________________________________________ > scap-security-guide mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide > > -- Mind on a Mission <http://leamhall.blogspot.com/>
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
